Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Statement 2024-11-29 (K07234).exe

Overview

General Information

Sample name:Statement 2024-11-29 (K07234).exe
Analysis ID:1572223
MD5:c40b747e2e9780944a16ea7f1da5bb2f
SHA1:6a8075a86cb9e4f643653f0c812831352ec56cf3
SHA256:2ce30c206c8b8fd863e98c63fa1c75b31a3c3018eab127c5496708cf8c95eb22
Tags:AgentTeslaexeuser-julianmckein
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Statement 2024-11-29 (K07234).exe (PID: 6720 cmdline: "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe" MD5: C40B747E2E9780944A16EA7F1DA5BB2F)
    • RegSvcs.exe (PID: 432 cmdline: "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • My App.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Roaming\My App\My App.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • My App.exe (PID: 3184 cmdline: "C:\Users\user\AppData\Roaming\My App\My App.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.naubahar.com", "Username": "accounts@naubahar.com", "Password": "Hum$885+Nn"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.560000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.560000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.RegSvcs.exe.560000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33996:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33a08:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33a92:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33b24:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33b8e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33c00:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33c96:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33d26:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\My App\My App.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 432, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.128.60.169, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 432, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49708

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.naubahar.com", "Username": "accounts@naubahar.com", "Password": "Hum$885+Nn"}
                    Multi AV Scanner detection for submitted file
                    Source: Statement 2024-11-29 (K07234).exeReversingLabs: Detection: 44%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for sample
                    Source: Statement 2024-11-29 (K07234).exeJoe Sandbox ML: detected
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49707 version: TLS 1.2
                    Source: Binary string: RegSvcs.pdb, source: My App.exe, 00000003.00000000.2228361358.0000000000B02000.00000002.00000001.01000000.00000006.sdmp, My App.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2099320495.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098929897.0000000003B90000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2099320495.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098929897.0000000003B90000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb! source: RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, My App.exe, 00000003.00000000.2228361358.0000000000B02000.00000002.00000001.01000000.00000006.sdmp, My App.exe.2.dr
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083445A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083C6D1 FindFirstFileW,FindClose,0_2_0083C6D1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0083C75C
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083EF95
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083F0F2
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083F3F3
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008337EF
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00833B12
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083BCBC
                    Source: global trafficTCP traffic: 192.168.2.6:49708 -> 78.128.60.169:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49708 -> 78.128.60.169:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008422EE
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.naubahar.com
                    Source: RegSvcs.exe, 00000002.00000002.4559205674.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.naubahar.com
                    Source: RegSvcs.exe, 00000002.00000002.4559205674.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://naubahar.com
                    Source: RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558278978.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                    Source: RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558278978.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                    Source: RegSvcs.exe, 00000002.00000002.4559205674.00000000024D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562402853.0000000005A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562402853.0000000005A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000024D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, 3DlgK9re6m.cs.Net Code: fFp8M22zp
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00844164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00844164
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00844164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00844164
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00843F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00843F66
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0083001C
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0085CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0085CABC

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.RegSvcs.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: This is a third-party compiled AutoIt script.0_2_007D3B3A
                    Source: Statement 2024-11-29 (K07234).exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4f56b6e3-3
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0012e0ae-d
                    Source: Statement 2024-11-29 (K07234).exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_481a80fb-7
                    Source: Statement 2024-11-29 (K07234).exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5bbdd99b-f
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0083A1EF
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00828310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00828310
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008351BD
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FD9750_2_007FD975
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F21C50_2_007F21C5
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008062D20_2_008062D2
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008503DA0_2_008503DA
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0080242E0_2_0080242E
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F25FA0_2_007F25FA
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0082E6160_2_0082E616
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E66E10_2_007E66E1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007DE6A00_2_007DE6A0
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0080878F0_2_0080878F
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008388890_2_00838889
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E88080_2_007E8808
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008068440_2_00806844
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008508570_2_00850857
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FCB210_2_007FCB21
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00806DB60_2_00806DB6
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E6F9E0_2_007E6F9E
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E30300_2_007E3030
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FF1D90_2_007FF1D9
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F31870_2_007F3187
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D12870_2_007D1287
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F14840_2_007F1484
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E55200_2_007E5520
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F76960_2_007F7696
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E57600_2_007E5760
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F19780_2_007F1978
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00809AB50_2_00809AB5
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007DFCE00_2_007DFCE0
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00857DDB0_2_00857DDB
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FBDA60_2_007FBDA6
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F1D900_2_007F1D90
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007DDF000_2_007DDF00
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007E3FE00_2_007E3FE0
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_011B53800_2_011B5380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008E41D82_2_008E41D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008E4AA82_2_008E4AA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008EEAB12_2_008EEAB1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008EACF02_2_008EACF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008E3E902_2_008E3E90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0510ABDC2_2_0510ABDC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F555C82_2_05F555C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F57D982_2_05F57D98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F534882_2_05F53488
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F566102_2_05F56610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F5C1982_2_05F5C198
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F5B2382_2_05F5B238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F55D032_2_05F55D03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F576B82_2_05F576B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F500402_2_05F50040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F5003E2_2_05F5003E
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: String function: 007F8900 appears 42 times
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: String function: 007D7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: String function: 007F0AE3 appears 70 times
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098929897.0000000003CBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Statement 2024-11-29 (K07234).exe
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098821248.0000000003B13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Statement 2024-11-29 (K07234).exe
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename7cbfaa9d-7661-43bf-b907-d799f73c10a9.exe4 vs Statement 2024-11-29 (K07234).exe
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.RegSvcs.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/8@2/2
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083A06A GetLastError,FormatMessageW,0_2_0083A06A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008281CB AdjustTokenPrivileges,CloseHandle,0_2_008281CB
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008287E1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0083B3FB
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0084EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0084EE0D
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0083C397
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007D4E89
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\My AppJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeFile created: C:\Users\user\AppData\Local\Temp\autF5A7.tmpJump to behavior
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.4558278978.0000000000771000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: select * from Win32_OperatingSystem);
                    Source: Statement 2024-11-29 (K07234).exeReversingLabs: Detection: 44%
                    Source: unknownProcess created: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\My App\My App.exe "C:\Users\user\AppData\Roaming\My App\My App.exe"
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\My App\My App.exe "C:\Users\user\AppData\Roaming\My App\My App.exe"
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Statement 2024-11-29 (K07234).exeStatic file information: File size 1065984 > 1048576
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: RegSvcs.pdb, source: My App.exe, 00000003.00000000.2228361358.0000000000B02000.00000002.00000001.01000000.00000006.sdmp, My App.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2099320495.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098929897.0000000003B90000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2099320495.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2098929897.0000000003B90000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb! source: RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, My App.exe, 00000003.00000000.2228361358.0000000000B02000.00000002.00000001.01000000.00000006.sdmp, My App.exe.2.dr
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: Statement 2024-11-29 (K07234).exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D4B37 LoadLibraryA,GetProcAddress,0_2_007D4B37
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F8945 push ecx; ret 0_2_007F8958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_008E0C6D push edi; retf 2_2_008E0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05102588 push eax; iretd 2_2_0510256C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\My App\My App.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run My AppJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run My AppJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\My App\My App.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007D48D7
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00855376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00855376
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F3187
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeAPI/Special instruction interceptor: Address: 11B4FA4
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000003.2089648471.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2091051663.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000002.2102013132.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2090528370.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2089691202.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2091367127.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2090172078.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, Statement 2024-11-29 (K07234).exe, 00000000.00000003.2090692675.00000000011BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERG`
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2102510827.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE0
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7673Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2175Jump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102585
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeAPI coverage: 4.7 %
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exe TID: 1976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exe TID: 1812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083445A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083C6D1 FindFirstFileW,FindClose,0_2_0083C6D1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0083C75C
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083EF95
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083F0F2
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083F3F3
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008337EF
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00833B12
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083BCBC
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D49A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98997Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98886Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98121Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97764Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97654Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97537Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96858Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96080Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95733Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95383Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95039Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94916Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeAPI call chain: ExitProcess graph end nodegraph_0-101242
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeAPI call chain: ExitProcess graph end nodegraph_0-101308
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00843F09 BlockInput,0_2_00843F09
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007D3B3A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00805A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00805A7C
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D4B37 LoadLibraryA,GetProcAddress,0_2_007D4B37
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_011B5210 mov eax, dword ptr fs:[00000030h]0_2_011B5210
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_011B5270 mov eax, dword ptr fs:[00000030h]0_2_011B5270
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_011B3BD0 mov eax, dword ptr fs:[00000030h]0_2_011B3BD0
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008280A9
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007FA155
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007FA124 SetUnhandledExceptionFilter,0_2_007FA124
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 357008Jump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_008287B1 LogonUserW,0_2_008287B1
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007D3B3A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007D48D7
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00834C27 mouse_event,0_2_00834C27
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00827CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00827CAF
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_0082874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0082874B
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007F862B cpuid 0_2_007F862B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Users\user\AppData\Roaming\My App\My App.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Users\user\AppData\Roaming\My App\My App.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\My App\My App.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00804E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00804E87
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00811E06 GetUserNameW,0_2_00811E06
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00803F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00803F3A
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_007D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D49A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Statement 2024-11-29 (K07234).exe, 00000000.00000002.2102510827.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.560000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Statement 2024-11-29 (K07234).exe PID: 6720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_81
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_XP
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_XPe
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_VISTA
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_7
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: WIN_8
                    Source: Statement 2024-11-29 (K07234).exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.560000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Statement 2024-11-29 (K07234).exe PID: 6720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.560000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Statement 2024-11-29 (K07234).exe.10f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Statement 2024-11-29 (K07234).exe PID: 6720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 432, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00846283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00846283
                    Source: C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exeCode function: 0_2_00846747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00846747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets351
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572223 Sample: Statement 2024-11-29 (K07234).exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 25 naubahar.com 2->25 27 mail.naubahar.com 2->27 29 api.ipify.org 2->29 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 6 other signatures 2->49 7 Statement 2024-11-29 (K07234).exe 4 2->7         started        10 My App.exe 2 2->10         started        12 My App.exe 1 2->12         started        signatures3 process4 signatures5 51 Binary is likely a compiled AutoIt script file 7->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->53 55 Writes to foreign memory regions 7->55 57 Maps a DLL or memory area into another process 7->57 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 31 naubahar.com 78.128.60.169, 49708, 49929, 49960 TELEPOINTBG Bulgaria 14->31 33 api.ipify.org 104.26.12.205, 443, 49707 CLOUDFLARENETUS United States 14->33 23 C:\Users\user\AppData\Roaming\...\My App.exe, PE32 14->23 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->37 39 Tries to steal Mail credentials (via file / registry access) 14->39 41 3 other signatures 14->41 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Statement 2024-11-29 (K07234).exe45%ReversingLabsWin32.Trojan.AutoitInject
                    Statement 2024-11-29 (K07234).exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\My App\My App.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://naubahar.com0%Avira URL Cloudsafe
                    http://mail.naubahar.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    naubahar.com
                    		78.128.60.169
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        mail.naubahar.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgStatement 2024-11-29 (K07234).exe, 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000024D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://r10.o.lencr.org0#RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558278978.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/Statement 2024-11-29 (K07234).exe, 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://naubahar.comRegSvcs.exe, 00000002.00000002.4559205674.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4559205674.00000000024D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://mail.naubahar.comRegSvcs.exe, 00000002.00000002.4559205674.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://x1.c.lencr.org/0RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562402853.0000000005A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://x1.i.lencr.org/0RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562402853.0000000005A40000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://r10.i.lencr.org/0RegSvcs.exe, 00000002.00000002.4562429042.0000000005A4A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004F1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AFD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561777184.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000268C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4561689993.0000000004E82000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000029AC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558278978.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002844000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005AEF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4558134905.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4559205674.0000000002589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4562628447.0000000005B3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.26.12.205
                                          		api.ipify.orgUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          78.128.60.169
                                          		naubahar.comBulgaria
                                          		31083TELEPOINTBGtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1572223
                                          Start date and time:2024-12-10 09:34:05 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 4s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Statement 2024-11-29 (K07234).exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/8@2/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 58
                                          • Number of non-executed functions: 271
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target My App.exe, PID 3184 because it is empty
                                          • Execution Graph export aborted for target My App.exe, PID 4088 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: Statement 2024-11-29 (K07234).exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          03:34:57API Interceptor11716434x Sleep call for process: RegSvcs.exe modified
                                          09:34:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run My App C:\Users\user\AppData\Roaming\My App\My App.exe
                                          09:35:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run My App C:\Users\user\AppData\Roaming\My App\My App.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          104.26.12.205xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                          • api.ipify.org/
                                          GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                          • api.ipify.org/
                                          8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                          • api.ipify.org/
                                          Simple2.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                          • api.ipify.org/
                                          Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                          • api.ipify.org/
                                          6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                          • api.ipify.org/
                                          perfcc.elfGet hashmaliciousXmrigBrowse
                                          • api.ipify.org/
                                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                          • api.ipify.org/
                                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                          • api.ipify.org/
                                          78.128.60.169new order (June - 2024).exeGet hashmaliciousAgentTeslaBrowse
                                            HSBC 7,000.00 USD Make Payments _ autoPay.exeGet hashmaliciousAgentTeslaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              api.ipify.orgEmployee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 104.26.13.205
                                              1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              jKDBppzWTb.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              enyi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 104.26.13.205
                                              proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              x.ps1Get hashmaliciousPureLog Stealer, QuasarBrowse
                                              • 104.26.12.205
                                              file.exeGet hashmaliciousQuasarBrowse
                                              • 104.26.13.205
                                              Xeno Executor.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.13.205
                                              file.exeGet hashmaliciousAmadey, CredGrabber, LummaC Stealer, Meduza Stealer, Stealc, VidarBrowse
                                              • 172.67.74.152
                                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSRequest for Quotation_10.12.2024.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.67.152
                                              SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 172.67.177.134
                                              https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                                              • 172.64.150.63
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 172.67.213.48
                                              lFxGd66yDa.exeGet hashmaliciousNetSupport RATBrowse
                                              • 104.26.0.231
                                              Jjv9ha2GKn.exeGet hashmaliciousNetSupport RAT, DarkTortillaBrowse
                                              • 104.26.0.231
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.80.1
                                              Valutazione della sicurezza IT - Azione urgente richiesta.htmlGet hashmaliciousUnknownBrowse
                                              • 104.16.117.116
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.16.1
                                              matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                              • 104.21.84.67
                                              TELEPOINTBGm68k.elfGet hashmaliciousUnknownBrowse
                                              • 78.142.32.108
                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                              • 91.148.148.13
                                              https://vividgold.agency/wp-includes/css/in.htmlGet hashmaliciousUnknownBrowse
                                              • 217.174.152.68
                                              rfq_last_quater_product_purchase_order_import_list_12_06_2024_000000120924.batGet hashmaliciousGuLoader, RemcosBrowse
                                              • 217.174.149.153
                                              rfq_last_quater_product_purchase_order_import_list_11_06_2024_000000110924.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                              • 78.128.60.222
                                              https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Fdeverechemicals3.s3.amazonaws.com%2FDeveres3project002files.htm/1/010301919a36c887-bd0fadb9-69a9-4c66-8a65-7770fcfd1a1e-000000/4liC3XgeimVwv5ob78Q6Bl4nESk=173Get hashmaliciousHTMLPhisherBrowse
                                              • 78.142.63.8
                                              Play_VMNow-GlobalpCOINC.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 78.142.63.8
                                              https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTuGet hashmaliciousPhisherBrowse
                                              • 78.142.63.8
                                              https://bodypleazure.com/wp-content/uploads/Tp5a/Get hashmaliciousUnknownBrowse
                                              • 78.142.63.103
                                              new order (June - 2024).exeGet hashmaliciousAgentTeslaBrowse
                                              • 78.128.60.169

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eSALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.26.12.205
                                              matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                              • 104.26.12.205
                                              aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              Dfim58cp4J.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              • 104.26.12.205
                                              Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              • 104.26.12.205
                                              interior-design-villa-a23.lnkGet hashmaliciousMalLnkBrowse
                                              • 104.26.12.205
                                              Payment_Advice.vbsGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              APQSKVTvd60SdAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.26.12.205
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.26.12.205

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Roaming\My App\My App.exePO54782322024.exeGet hashmaliciousAgentTeslaBrowse
                                                m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                                  RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    AWB#150332.exeGet hashmaliciousAgentTeslaBrowse
                                                      SOA_9828392091.exeGet hashmaliciousAgentTeslaBrowse
                                                        ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                          Pi648je050.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                              Termination_List_November_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                Payment_Advice_USD_48,054.40_.exeGet hashmaliciousAgentTeslaBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\My App.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\My App\My App.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):142
                                                                  Entropy (8bit):5.090621108356562
                                                                  Encrypted:false
                                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                  C:\Users\user\AppData\Local\Temp\Okeghem

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):241664
                                                                  Entropy (8bit):6.708684532963048
                                                                  Encrypted:false
                                                                  SSDEEP:6144:Vrsa+yvegnoWwoRkCB3RWcSi1+GB+yzo0FY+:T+MegV/W++I7bFY+
                                                                  MD5:5DA78D133627BE59D75CDD3C9DB903C7
                                                                  SHA1:6C440FE9CF930278DCAFB6981FD3286AEA7BB38B
                                                                  SHA-256:794838C10800BA9539C9502D096E4BF33577931A45B8DBBB26C4CEBDFDEACCA8
                                                                  SHA-512:5D3D3283C684511D6BFE36077D159D85BB81ADDADD2E2241110BA5866C74430BA9B9E03892334893146529BBC6CB7336E795446A38A81B12538F61DF7DEBA1E1
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:...I6ZJW^AXF..76.WUP5RJ8.FZRZ9I5ZJWZAXFMH76HWUP5RJ8KFZRZ9I5Z.WZAVY.F7.A.t.4.....3!zI;Z=867a;'#&XBh50pG'$."(z..jiX5.2tLULiH76HWUPe.J8.GYR..rSZJWZAXFM.74I\T[5R.;KFRRZ9I5ZT.YAXfMH7.KWUPuRJ.KFZPZ9M5ZJWZAXBMH76HWUP.VJ8IFZRZ9I7Z..ZAHFMX76HWEP5BJ8KFZRJ9I5ZJWZAXFM..5H.UP5R.;K._RZ9I5ZJWZAXFMH76HWUP1RF8KFZRZ9I5ZJWZAXFMH76HWUP5RJ8KFZRZ9I5ZJWZAXFMH76HWUP5rJ8CFZRZ9I5ZJWZIxFM.76HWUP5RJ8Kh.7"MI5Zn.YAXfMH7.KWUR5RJ8KFZRZ9I5ZJwZA8h?;EUHWU.0RJ8.EZR\9I5.IWZAXFMH76HWUPuRJxe4?>5ZI5VJWZAXBMH56HW.S5RJ8KFZRZ9I5Z.WZ.XFMH76HWUP5RJ8KFZ.Y9I5ZJ.ZAXDMM7..UU..SJ;KFZSZ9O5ZJWZAXFMH76HWUP5RJ8KFZRZ9I5ZJWZAXFMH76HWUP5RJ8K[.....}d.*dK:A.n.Q.T..&..A..U.O.2!...L.....=Q..5.E...[.../.__8Y....p7^!;:.OdI;.G..i.wv....K&.L......$>o.s...o.....N,....B..6?X|+H;*?|.X/T(#.X.YFMH7.......Q3...Y6W.H2....yZO`...KRJ8/FZR(9I5;JWZ.XFM'76H9UP5,J8K8ZRZ.I5Z.WZAoFMH.6HW8P5Rn8KF$RZ9.HUE..15.76HWUe..z.&.....~...a+.&./p..3....Ok.I2.-z.r..Y.3.._e]Nt..2SL<ND]VY5t;....`ZBIM51LTYm;....g.t..p...&....7.K6HWUP5.J8.FZR.I.ZJW.A.F..76H.P.R.8...R

                                                                  C:\Users\user\AppData\Local\Temp\autF5A7.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):158042
                                                                  Entropy (8bit):7.93978445178166
                                                                  Encrypted:false
                                                                  SSDEEP:3072:v7LLFGOHm7u4lDRx/VGAP3TJLLRqJplFpdCL9ku81L2jPtlxwXUUsyod:v7LLFWRPLRqpFpULau81L2ZlxwEUNe
                                                                  MD5:CB4B39B2F33C4C1F71C7BF52AB09F6F9
                                                                  SHA1:D3B3C4A53B853377EA42AC7B847E07354E8E5419
                                                                  SHA-256:46EB907BEEAA1FE5D20554CC185E1E1C6AF93C74DD3D6ED1234AF8475A1A914F
                                                                  SHA-512:25F5321ECA0A19154FFB1DAB266E8488C631504BE1BC959CF4965912EF795A310E002B057E4F05823040E7C1953A63BAA3964B1AE921D6CFB137F50102B85289
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:EA06......54..j.W.Pk.m..o6.U...J.8..U*..5..+@.e6.7.R...K...(.l.V~.i.....z&..<f?...oT..j{8.M.3.<.MX.Z&....O$.H....V.i.Me.+.2.L..(....N .z.K...T..5...)5.nkR.N.tj..f*.:...f..:..b.R.F.!.jsM......QZ.*qI......V.4.56..6.j.Z...)@...}&.. ........?.cR..y..;.....T....o.......6.]7.S@..w..c9.........T...;..@.....l..kU*....6|.!...4....L..........(....j..{.e. ..|..Si.~wb.U.A.t....S.Ni.......[.~.^......Y)s..B...j./......a5X.?.2......33......G....._cO[..09.~.._.Vt...cmp..3..f.d....}.........&.S>.....O..........M4Z.,.Evzj...6../..D.U?.Bk....G.n. .O_q...p=^.Fg.._.3j...2..z;|].O.x....,....l....v..A.6.8..9..%........b.o.Q"@.d......@..H..{>.L.k...V^.^...u.<H/.....l2...;/.x..9..7.S.}:L.9-.AnZ=.g......-v.t..&U:d.D..3[..#..c....&.5..*..l.3.......o.p..{.o..}...i`/X.........eN...F...!.....mg..7j....*.i}.]..M%...j}2..,0h.bw4..r.V.P...-.......T.l.K`..L.I_..5..^.7.M..a..8..d.7.?.J`...2a....[..kR.N.;.....YiUz..{F..#..T.]P....M.O).6b.).j.R..&.h..WQ..)q(..yR.L.3Z.:....

                                                                  C:\Users\user\AppData\Local\Temp\autF5E6.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14610
                                                                  Entropy (8bit):7.6297784836527365
                                                                  Encrypted:false
                                                                  SSDEEP:384:ITYznwlR6ovC0TD4gjTaJEtxtQ6db6KVhfkz:IAwlooK0TMgjmJEtn9V8z
                                                                  MD5:14017174E50440450E47843368DF1DE8
                                                                  SHA1:6437CBEDF9FF5071B1B60511631C99042D2C7695
                                                                  SHA-256:E7E6F38D7D24319A77D0150CC859CD2E21A11D481D088A5199BC62310721A666
                                                                  SHA-512:0A1AD8818C2F32408B41D2CAEBE1FDA53B5583F4AA392B2ECC8031B18ABC9AA06523EF73088C16D43B01DB15E4AF3C51720ACFD1C74D7E157C369B5FC535BE12
                                                                  Malicious:false
                                                                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                                  C:\Users\user\AppData\Local\Temp\misrun

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe
                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):143378
                                                                  Entropy (8bit):2.9929836460833643
                                                                  Encrypted:false
                                                                  SSDEEP:96:AIXLr4e+F05BLMoQCs0FlRZpA67gnCUEGcud9IvySuE3WrWVjj3qnBaAJZdjureP:H3BjDRpTGcud9IvySuE3WrWVfqnBaA
                                                                  MD5:B1CE0C93E64A9F5D7C0C0F67D6E75BB1
                                                                  SHA1:7E1DC6C3D523369AEA574696FEE4CFCF05600CC4
                                                                  SHA-256:4D18AF594D3AB569B88EAA2B5C6847DD7BFC1F5BEDAFE338DECE0BC9DEED95BC
                                                                  SHA-512:ACAA14C09C260086477E9805663AB89BABBD150EDEFACCFC7950DFB1979D2B19914697F2768E28ECA4A3C0DBACA97CEBA8C038638A6E9F307B077A86E86F0065
                                                                  Malicious:false
                                                                  Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                                                  C:\Users\user\AppData\Roaming\My App\My App.exe

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):45984
                                                                  Entropy (8bit):6.16795797263964
                                                                  Encrypted:false
                                                                  SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                  MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                  SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                  SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                  SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: PO54782322024.exe, Detection: malicious, Browse
                                                                  • Filename: m30zZYga23.exe, Detection: malicious, Browse
                                                                  • Filename: RFQ.exe, Detection: malicious, Browse
                                                                  • Filename: AWB#150332.exe, Detection: malicious, Browse
                                                                  • Filename: SOA_9828392091.exe, Detection: malicious, Browse
                                                                  • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                                  • Filename: Pi648je050.exe, Detection: malicious, Browse
                                                                  • Filename: shipping documents.exe, Detection: malicious, Browse
                                                                  • Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse
                                                                  • Filename: Payment_Advice_USD_48,054.40_.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                  \Device\ConDrv

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\My App\My App.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1141
                                                                  Entropy (8bit):4.442398121585593
                                                                  Encrypted:false
                                                                  SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                  MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                  SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                  SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                  SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                  Malicious:false
                                                                  Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.014483729466405
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:Statement 2024-11-29 (K07234).exe
                                                                  File size:1'065'984 bytes
                                                                  MD5:c40b747e2e9780944a16ea7f1da5bb2f
                                                                  SHA1:6a8075a86cb9e4f643653f0c812831352ec56cf3
                                                                  SHA256:2ce30c206c8b8fd863e98c63fa1c75b31a3c3018eab127c5496708cf8c95eb22
                                                                  SHA512:da3f3b81b27bf0251bb5db1b6c2e01e2a82f555aaa610e664b9b3c2d56d96974daf7e521ee324031cf309f3eec354220db86c59f3aa6fc2f13a8fd34817d0caa
                                                                  SSDEEP:24576:qu6J33O0c+JY5UZ+XC0kGso6Fa17RcAvepIrWY:cu0c++OCvkGs9Fa17RcAvaXY
                                                                  TLSH:E735BE2273DDC360CB669173BF6AB7016EBF7C210630B95B2F980D7DA950161262D7A3
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                  File Icon

                                                                  Icon Hash:aaf3e3e3938382a0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x427dcd
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x675784A3 [Tue Dec 10 00:00:35 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F069CD18AFAh
                                                                  jmp 00007F069CD0B8C4h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push edi
                                                                  push esi
                                                                  mov esi, dword ptr [esp+10h]
                                                                  mov ecx, dword ptr [esp+14h]
                                                                  mov edi, dword ptr [esp+0Ch]
                                                                  mov eax, ecx
                                                                  mov edx, ecx
                                                                  add eax, esi
                                                                  cmp edi, esi
                                                                  jbe 00007F069CD0BA4Ah
                                                                  cmp edi, eax
                                                                  jc 00007F069CD0BDAEh
                                                                  bt dword ptr [004C31FCh], 01h
                                                                  jnc 00007F069CD0BA49h
                                                                  rep movsb
                                                                  jmp 00007F069CD0BD5Ch
                                                                  cmp ecx, 00000080h
                                                                  jc 00007F069CD0BC14h
                                                                  mov eax, edi
                                                                  xor eax, esi
                                                                  test eax, 0000000Fh
                                                                  jne 00007F069CD0BA50h
                                                                  bt dword ptr [004BE324h], 01h
                                                                  jc 00007F069CD0BF20h
                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                  jnc 00007F069CD0BBEDh
                                                                  test edi, 00000003h
                                                                  jne 00007F069CD0BBFEh
                                                                  test esi, 00000003h
                                                                  jne 00007F069CD0BBDDh
                                                                  bt edi, 02h
                                                                  jnc 00007F069CD0BA4Fh
                                                                  mov eax, dword ptr [esi]
                                                                  sub ecx, 04h
                                                                  lea esi, dword ptr [esi+04h]
                                                                  mov dword ptr [edi], eax
                                                                  lea edi, dword ptr [edi+04h]
                                                                  bt edi, 03h
                                                                  jnc 00007F069CD0BA53h
                                                                  movq xmm1, qword ptr [esi]
                                                                  sub ecx, 08h
                                                                  lea esi, dword ptr [esi+08h]
                                                                  movq qword ptr [edi], xmm1
                                                                  lea edi, dword ptr [edi+08h]
                                                                  test esi, 00000007h
                                                                  je 00007F069CD0BAA5h
                                                                  bt esi, 03h
                                                                  jnc 00007F069CD0BAF8h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ASM] VS2013 build 21005
                                                                  • [ C ] VS2013 build 21005
                                                                  • [C++] VS2013 build 21005
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                  • [RES] VS2013 build 21005
                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x3ba94.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1030000x711c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xc70000x3ba940x3bc008094bc1c89ab73a1c5674a944efea0f1False0.8889538114539749data7.802262533175267IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1030000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                  RT_RCDATA0xcf7b80x32d5cdata1.0003409854961098
                                                                  RT_GROUP_ICON0x1025140x76dataEnglishGreat Britain0.6610169491525424
                                                                  RT_GROUP_ICON0x10258c0x14dataEnglishGreat Britain1.25
                                                                  RT_GROUP_ICON0x1025a00x14dataEnglishGreat Britain1.15
                                                                  RT_GROUP_ICON0x1025b40x14dataEnglishGreat Britain1.25
                                                                  RT_VERSION0x1025c80xdcdataEnglishGreat Britain0.6181818181818182
                                                                  RT_MANIFEST0x1026a40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                  Imports

                                                                  DLLImport
                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                  UxTheme.dllIsThemeActive
                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 09:34:55.719961882 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:55.720009089 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:55.720065117 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:55.728544950 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:55.728566885 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:56.944430113 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:56.944511890 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:56.948482037 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:56.948492050 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:56.948787928 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:56.996575117 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:56.999417067 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:57.043330908 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:57.380189896 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:57.380256891 CET44349707104.26.12.205192.168.2.6
                                                                  Dec 10, 2024 09:34:57.380314112 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:57.385912895 CET49707443192.168.2.6104.26.12.205
                                                                  Dec 10, 2024 09:34:59.383506060 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:34:59.502861977 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:34:59.503150940 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:00.747370958 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:00.748878956 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:00.868802071 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:01.177310944 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:01.177520037 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:01.296821117 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:01.616627932 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:01.617221117 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:01.736619949 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.088314056 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.088341951 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.088354111 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.088402033 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:02.137139082 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:02.279750109 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.306534052 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:02.425848961 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.742141962 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:02.745083094 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:02.864476919 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:03.174673080 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:03.175515890 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:03.294822931 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:03.603331089 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:03.604406118 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:03.723856926 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.032382965 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.032708883 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:04.152051926 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.461038113 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.461338997 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:04.580622911 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.890155077 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:04.890537977 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:05.009844065 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.317838907 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.318589926 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:05.318650007 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:05.318675041 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:05.318697929 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:35:05.438266993 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.438281059 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.438291073 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.438303947 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.868006945 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:35:05.918380022 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:36.002649069 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:36.002650976 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:36.123765945 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:36.123790026 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:36.123897076 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:36.431992054 CET5874970878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:36.432837963 CET49708587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:37.362186909 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:37.365408897 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:37.484745026 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:37.793283939 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:37.793457985 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:37.912805080 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.222163916 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.222645044 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:38.342040062 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.670533895 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.670582056 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.670593023 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:38.670638084 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:38.673716068 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:38.793252945 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.102498055 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.106561899 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:39.226298094 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.534740925 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.537507057 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:39.656907082 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.967262030 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:39.967767000 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:40.087232113 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:40.396181107 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:40.396399021 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:40.515762091 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:40.825167894 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:40.825428009 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:40.944775105 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.253210068 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.257277012 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.376718998 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.685254097 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.690675974 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.690743923 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.690826893 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.690913916 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.692079067 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.810197115 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.810214043 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.810226917 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.810234070 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.810319901 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.811661005 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811669111 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811685085 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811693907 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811724901 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.811763048 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811789989 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811798096 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.811817884 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.811880112 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.811904907 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811920881 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.811935902 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.812026024 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.929748058 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.929764986 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.929884911 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.931015015 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931097031 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931135893 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931186914 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.931229115 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931330919 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931365013 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.931370974 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931402922 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931407928 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.931485891 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.931581020 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931622982 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.931834936 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:41.974332094 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:41.974445105 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:42.049407005 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050553083 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050575018 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050679922 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050689936 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050708055 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:42.050781012 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050870895 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.050987005 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051063061 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051115036 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051208019 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051222086 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051235914 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051306963 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051446915 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051460028 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051486969 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051498890 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051611900 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051623106 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051731110 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051743031 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051783085 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051873922 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.051887989 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.093858004 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.093892097 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170027018 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170058012 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170115948 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170181036 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170238018 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.170301914 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.701093912 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:42.745616913 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:48.575050116 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:48.694477081 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:49.002837896 CET5874992978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:49.003240108 CET49929587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:49.004424095 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:49.123790026 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:49.124025106 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:50.366154909 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:50.366305113 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:50.485522985 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:50.792860985 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:50.793035030 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:50.912283897 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.220717907 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.221299887 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:51.340619087 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.667728901 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.667747974 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.667778015 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:51.667834997 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:51.669265032 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:51.788595915 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.096554041 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.097548008 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:52.216891050 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.524734974 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.524944067 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:52.644351006 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.959923983 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:52.960221052 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:53.079452038 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:53.387947083 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:53.388155937 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:53.507611036 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:53.828733921 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:53.829466105 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:53.948916912 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.260370970 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.260569096 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.380004883 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.687144995 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.687503099 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.687542915 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.687572002 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.687616110 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.688746929 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.807670116 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.807684898 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.807703018 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.807723045 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.807790041 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.807821989 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.808959961 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.808968067 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.808974981 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809024096 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.809108973 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809118032 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809124947 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809158087 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.809276104 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809287071 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809324026 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.809950113 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.809988022 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.928128958 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.928193092 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.928270102 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.928316116 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.929436922 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.929483891 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.929608107 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.929621935 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.929637909 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.929660082 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.929682970 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.929708958 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.929909945 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.929949045 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.930063009 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.930075884 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.930116892 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.930116892 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.930418015 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.930468082 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:54.930751085 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:54.930800915 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:55.047771931 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.047835112 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:55.047847033 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.047888994 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:36:55.048969984 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049237013 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049329996 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049398899 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049489975 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049562931 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049602032 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049689054 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049937010 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049961090 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.049993992 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050071955 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050110102 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050210953 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050256014 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050337076 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050349951 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050375938 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050389051 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050442934 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050455093 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050570011 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050621986 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050734043 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050759077 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.050806046 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167288065 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167334080 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167506933 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167516947 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167536974 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.167637110 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.590178013 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:36:55.636183977 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:10.032422066 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:10.152012110 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:10.459341049 CET5874996078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:10.460891962 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:10.460896015 CET49960587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:10.580338955 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:10.581096888 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:11.825521946 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:11.825673103 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:11.945143938 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:12.254170895 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:12.257154942 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:12.376486063 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:12.685973883 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:12.689344883 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:12.808825016 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.142386913 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.142405987 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.142436028 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.142560005 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:13.144788027 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:13.264373064 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.572952986 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:13.574306011 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:13.693933010 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.002110958 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.002348900 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:14.121965885 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.430188894 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.431046009 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:14.550605059 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.858994007 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:14.865020037 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:14.984376907 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:15.293977022 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:15.294181108 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:15.413592100 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:15.722419977 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:15.722599983 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:15.841885090 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.150077105 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.150515079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.150515079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.150515079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.151673079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.151673079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.269944906 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.269957066 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.269972086 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.270071983 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.270970106 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.270981073 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271071911 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.271071911 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.271086931 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271100044 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271290064 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271297932 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271327972 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271328926 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.271348953 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.271362066 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.271383047 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.273003101 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.389193058 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.389214039 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.389359951 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.389702082 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.390377045 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390387058 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390554905 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.390563011 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390646935 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390656948 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390803099 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.390863895 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390969992 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.390999079 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.391124964 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.392260075 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.392378092 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.437738895 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.441081047 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.509216070 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.509344101 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.509433985 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.509928942 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.509991884 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:16.510205984 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510349035 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510406971 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510447025 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510566950 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510651112 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510683060 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510844946 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510893106 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510950089 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.510965109 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.511007071 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.511698008 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.511740923 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.511781931 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.511800051 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.560517073 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.560551882 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.628873110 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.628905058 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.628916979 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.628988981 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.628998995 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629060030 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629072905 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629117966 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629128933 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629216909 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629234076 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629264116 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629322052 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:16.629329920 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:17.073476076 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:17.120366096 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:18.903860092 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.023308039 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:19.331319094 CET5874999078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:19.331779003 CET49990587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.333287954 CET49991587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.452652931 CET5874999178.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:19.452734947 CET49991587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.526882887 CET49991587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.594738007 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.646351099 CET5874999178.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:19.646419048 CET49991587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:19.714184046 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:19.714261055 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:20.953710079 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:20.953907013 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:21.073235989 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:21.381649017 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:21.381777048 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:21.501313925 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:21.810524940 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:21.810904980 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:21.930238008 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.258408070 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.258441925 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.258502007 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.261461973 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:22.264961004 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:22.384226084 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.692862034 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:22.693727970 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:22.813091040 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.123367071 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.127904892 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:23.247781992 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.555975914 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.556237936 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:23.675690889 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.984954119 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:23.985136032 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:24.104454041 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:24.433111906 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:24.433335066 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:24.552685022 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:24.861287117 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:24.865086079 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:24.984401941 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.292756081 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.293140888 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.293224096 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.293252945 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.293296099 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.294728994 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.412642956 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.412662983 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.412679911 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.412688971 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.412717104 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.412741899 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.413944006 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414011955 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414058924 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414073944 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414105892 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414108992 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414108992 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414129019 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414163113 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414170027 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414205074 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414215088 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414223909 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.414251089 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.414271116 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.532004118 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.532021046 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.532037020 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.532068968 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.532120943 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.532151937 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.532191038 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533313036 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533360004 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533456087 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533503056 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533546925 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533586025 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533593893 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533632994 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533633947 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533679962 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533690929 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533735037 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.533859015 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.533899069 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.581454039 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.581532001 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.651670933 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.651684046 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.651711941 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.651720047 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.651788950 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.652000904 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.652082920 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:25.652659893 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.652806997 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.652829885 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.652986050 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653023958 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653088093 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653119087 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653156996 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653297901 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653311968 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653374910 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653395891 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653460979 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653498888 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653582096 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.653601885 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.700895071 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.700978041 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771289110 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771300077 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771365881 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771415949 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771472931 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771538019 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771605015 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771615028 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771642923 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771661043 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771673918 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771687984 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771709919 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771718025 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771742105 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:25.771750927 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:26.183228970 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:26.204787016 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:26.204894066 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:26.233794928 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:26.303256035 CET5874999278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:26.307941914 CET49992587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:26.353091002 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:26.353199005 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:27.589298010 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:27.589447975 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:27.708946943 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.019423962 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.019578934 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:28.139034033 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.447931051 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.448605061 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:28.567965031 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.901621103 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.901854992 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.901870012 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:28.902309895 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:28.904927969 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:29.024231911 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:29.332067013 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:29.341758966 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:29.461463928 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:29.768780947 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:29.770334005 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:29.889719009 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:30.198348999 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:30.198595047 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:30.317975044 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:30.647981882 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:30.648170948 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:30.767548084 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.076255083 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.076596975 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.196382999 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.504271984 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.504446030 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.623886108 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.932547092 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:31.932996035 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.933068037 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.933134079 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.933222055 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:31.934276104 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.052532911 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.052584887 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.052601099 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.052598953 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.052613020 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.052656889 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.053678989 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053692102 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053730011 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.053741932 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053755999 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053756952 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.053786039 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053796053 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.053833961 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.053850889 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.171731949 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.171782970 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.171794891 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.171828032 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.171869993 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.172007084 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.172064066 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.172064066 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.172131062 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.173080921 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173122883 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.173145056 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173160076 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173221111 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.173357964 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173413038 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.173425913 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173434019 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.173486948 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.217585087 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.217644930 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.291281939 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.291383028 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.291467905 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.291594982 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.291779995 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.291870117 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:32.292818069 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.292857885 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.292996883 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.293061972 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.293190956 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.293212891 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.337025881 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.337169886 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411082029 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411106110 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411114931 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411132097 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411139965 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411189079 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411200047 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411214113 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411227942 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411236048 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411334038 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411350012 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411371946 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411382914 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411416054 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411427975 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411542892 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.411551952 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.863774061 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:32.917129040 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.195662975 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.315210104 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:33.622811079 CET5874999378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:33.623421907 CET49993587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.625060081 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.653558016 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.744317055 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:33.744395971 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:33.773073912 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:33.773129940 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:34.981239080 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:34.986877918 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.025326967 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.030903101 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.106542110 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.150209904 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.414370060 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.414499044 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.458697081 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.458862066 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.533859968 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.578229904 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.842541933 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.842967033 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.887155056 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:35.887530088 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:35.962368011 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.006906986 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.060323000 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.107729912 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.180620909 CET5874999678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.180712938 CET49996587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.227323055 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.227447987 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.291377068 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.300201893 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.300234079 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.301131010 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.304872990 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.424257040 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.732188940 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:36.735141039 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:36.854626894 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.162939072 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.173079014 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:37.292387009 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.465369940 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.465598106 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:37.585076094 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.600055933 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.600398064 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:37.719782114 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.904161930 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:37.904315948 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.024333954 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.027910948 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.028110981 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.147552013 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.333336115 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.339071035 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.456321955 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.458398104 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.458442926 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.577863932 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.788683891 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.788717985 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.788728952 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.788965940 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.792855978 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.885539055 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:38.887722969 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:38.912218094 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.007190943 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.220886946 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.222913027 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.314600945 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.314939022 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.314984083 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.314984083 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.315095901 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.319422960 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.342318058 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.434309006 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.434345007 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.434375048 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.434401989 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.434417963 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.434458017 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.439547062 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.439572096 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.439609051 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.439631939 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.439694881 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.439799070 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.439799070 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.461781979 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.461796999 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.461813927 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.461836100 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.461862087 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.553482056 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.553551912 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.553787947 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.553807974 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.553834915 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.553860903 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.559176922 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.559231043 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.559308052 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.559367895 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.559396029 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.559449911 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.559458017 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.559503078 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.559557915 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.559618950 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.581244946 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.581257105 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.581279039 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.581325054 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.581325054 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.581360102 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.625277996 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.625339031 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.651251078 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.651807070 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.673023939 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.673100948 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.673155069 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.673222065 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.673248053 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.673305988 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:39.678917885 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.679070950 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.679178953 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.679342031 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.679400921 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.679414988 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.700831890 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.700846910 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.700862885 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701037884 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701168060 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701180935 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701191902 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701201916 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701217890 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701240063 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.701261044 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.744738102 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.744765997 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.771172047 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792515039 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792577982 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792593002 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792674065 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792701960 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792803049 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792814970 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792829990 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792860985 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:39.792876005 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.079752922 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.080009937 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:40.199450970 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.218075991 CET5874999578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.260819912 CET49995587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:40.508337975 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.508574963 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:40.627975941 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.937089920 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:40.939111948 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.058609009 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.367214918 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.367413044 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.486836910 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.795042992 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.799658060 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.799731016 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.803317070 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.803411961 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.830003977 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.919179916 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.919209003 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.919250965 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.922728062 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.922746897 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.922797918 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.949806929 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949830055 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949839115 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949862957 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949872971 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949877977 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.949886084 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:41.949956894 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:41.949956894 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.038497925 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.038518906 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.038533926 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.038551092 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.038553953 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.038603067 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.038603067 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.042167902 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.042220116 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069427967 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069490910 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069547892 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069600105 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069758892 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069776058 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069813967 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069813967 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069909096 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069917917 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.069957018 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.069969893 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.158185959 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.158246040 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.158260107 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.158268929 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.158358097 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.161623001 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.161675930 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:42.188867092 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.188941002 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189057112 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189251900 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189327002 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189398050 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189439058 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189563990 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189608097 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189722061 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189735889 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189845085 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189857006 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189872980 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.189881086 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.277992010 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278021097 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278062105 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278073072 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278090000 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278099060 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278115034 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278152943 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278161049 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278176069 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278188944 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278203011 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278217077 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.278233051 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.281009912 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.281049967 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.281064034 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.281080008 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.710954905 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:42.760818005 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:54.828629017 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:54.948159933 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:55.257112026 CET5874999778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:55.258733034 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:55.258732080 CET49997587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:55.378704071 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:55.378778934 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:56.617429972 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:56.617717028 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:56.737134933 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.045097113 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.045295954 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:57.164998055 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.473283052 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.473701954 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:57.593404055 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.927433968 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.927458048 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.927484035 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:57.927525043 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:57.929871082 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:58.049199104 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:58.358345032 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:58.380523920 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:58.499964952 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:58.807849884 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:58.811780930 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:58.931188107 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:59.239459991 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:59.240154982 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:59.276699066 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:59.342255116 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:59.359435081 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:59.396436930 CET5874999878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:59.396490097 CET49998587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:37:59.461582899 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:37:59.461663008 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:00.701571941 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:00.701745033 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:00.870822906 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:00.932694912 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.073045015 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.073116064 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.073163033 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.432550907 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.457278967 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.459481955 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.490144968 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.490166903 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.490180969 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.490232944 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.490329981 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:01.490375042 CET49999587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:01.609119892 CET5874999978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:02.729343891 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:02.729537010 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:02.848967075 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:03.157989025 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:03.160815001 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:03.280339003 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:03.589622974 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:03.590054989 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:03.709465027 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.039588928 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.039623022 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.039642096 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.039660931 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:04.077420950 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:04.196800947 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.505422115 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.512672901 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:04.632158041 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.941946030 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:04.942240000 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:05.061758041 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:05.370577097 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:05.371229887 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:05.490741968 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:05.799633980 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:05.799870968 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:05.919187069 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:06.228620052 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:06.229007006 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:06.348489046 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:06.657285929 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:06.658936024 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:06.778275967 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.086666107 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.091207027 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.091257095 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.091257095 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.091334105 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.094759941 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.210805893 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.210845947 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.210855961 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.210872889 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.211040020 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.214093924 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.214173079 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.214226007 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.214268923 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.214282990 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.214309931 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.214452982 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.330013037 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.330034018 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.330085993 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.333493948 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333503962 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333545923 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.333585024 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.333600044 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333647013 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.333661079 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333709955 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.333813906 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333827972 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.333865881 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.449141979 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.449215889 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.453166008 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.453262091 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.568427086 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.568491936 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.571865082 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.571919918 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.572012901 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.572072029 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.573010921 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.573055983 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.687694073 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.687782049 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.691216946 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.691268921 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:07.691409111 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.691498995 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.807049990 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.810812950 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.926517963 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.929795980 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.929812908 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.929922104 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.929939032 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.929982901 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.930047989 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.930109978 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:07.930253983 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.045582056 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.045605898 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.045615911 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.048964024 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049007893 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049057007 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049103975 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049211025 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049220085 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049249887 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049283028 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.049331903 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.164786100 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.165002108 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.168139935 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.497689009 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:08.541868925 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:13.090747118 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:13.210264921 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:13.518635035 CET5875000078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:13.519136906 CET50000587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:13.520709991 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:13.641871929 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:13.641948938 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:14.885335922 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:14.886981010 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:15.006416082 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:15.314865112 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:15.319133043 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:15.438456059 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:15.748066902 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:15.748627901 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:15.867902994 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.198251963 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.198268890 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.198297024 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.198324919 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:16.201276064 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:16.320696115 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.629098892 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:16.632781982 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:16.752037048 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.060389996 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.060625076 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:17.190332890 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.500055075 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.500401974 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:17.620259047 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.928654909 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:17.928829908 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:18.048211098 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:18.358042002 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:18.362586975 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:18.482542038 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:18.790962934 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:18.791205883 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:18.910551071 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.219089985 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.220849037 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.220907927 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.220909119 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.222130060 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.222130060 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.340359926 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.340387106 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.340400934 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.340421915 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341440916 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341474056 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341490984 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341491938 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341526031 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341531992 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341562033 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341584921 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341624975 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341656923 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341670036 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341700077 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341706991 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341736078 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.341742992 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.341784954 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.459654093 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.459697962 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.459712982 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.459711075 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.459757090 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.459769011 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.460938931 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.460974932 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.460983992 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.461019993 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.461138010 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.461148024 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.461216927 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.461224079 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.461273909 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.461307049 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.461349010 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.461401939 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.461446047 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.505048990 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.505115986 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.579116106 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.579195976 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.579916000 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.579993010 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.580091953 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.580107927 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.580144882 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.580144882 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.580168962 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.580260992 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.580313921 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.580315113 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:19.580447912 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.580626965 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.699481964 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.700387001 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.700404882 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.700558901 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.700730085 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.700892925 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.701030970 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.701044083 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.701190948 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.701205015 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.818686008 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.818706989 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.818723917 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819500923 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819513083 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819674015 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819768906 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819780111 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819854975 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819977999 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.819989920 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820085049 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820094109 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820215940 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820229053 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820236921 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820256948 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820291042 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:19.820306063 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:20.180141926 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:20.229316950 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:27.977953911 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:28.097295046 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:28.405642033 CET5875000278.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:28.407387972 CET50002587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:28.407387972 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:28.526798010 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:28.526892900 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:29.765136957 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:29.765280962 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:29.884649038 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:30.193363905 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:30.193559885 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:30.312850952 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:30.622216940 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:30.622749090 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:30.742022038 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.070847988 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.070900917 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.070914984 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.071070910 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.072596073 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.192743063 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.216490030 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.286609888 CET50004587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.336194992 CET5875000378.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.336277962 CET50003587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.406014919 CET5875000478.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:31.406088114 CET50004587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.885844946 CET50004587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:31.967039108 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:32.005276918 CET5875000478.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:32.005337000 CET50004587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:32.086451054 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:32.086565971 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:33.324577093 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:33.324786901 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:33.444209099 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:33.751851082 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:33.751987934 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:33.871288061 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.179414034 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.179837942 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:34.299104929 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.627863884 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.627933979 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.627949953 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:34.627983093 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:34.630006075 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:34.749363899 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.056848049 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.064466953 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:35.183803082 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.491142988 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.491432905 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:35.610681057 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.922260046 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:35.922590017 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:36.041887999 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:36.350078106 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:36.350322962 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:36.469700098 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:36.778588057 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:36.778772116 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:36.898034096 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.216264009 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.220640898 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.339931965 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.647955894 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.648305893 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.648397923 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.648468018 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.648535967 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.650182962 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.767580032 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.767657995 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.767677069 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.767688990 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.767776966 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.767834902 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.769499063 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769507885 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769555092 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.769582033 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769593000 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769638062 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769645929 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769645929 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.769696951 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.769742966 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769751072 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769792080 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.769833088 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.769884109 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.886984110 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.887061119 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.887087107 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.887139082 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889046907 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889106989 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889141083 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889206886 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889307976 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889317036 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889374971 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889435053 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889487028 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889545918 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889554024 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889615059 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:37.889642000 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:37.889691114 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.006396055 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.006459951 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.006479979 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.006571054 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.008409023 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.008588076 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.008620977 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.008735895 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.008796930 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.008876085 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009046078 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009125948 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009238958 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009393930 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009406090 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009562969 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009572029 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009671926 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009690046 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009773970 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009793997 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009888887 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.009907961 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010006905 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010030985 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010107994 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010133982 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010211945 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010243893 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.010332108 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.104579926 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.125770092 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.125873089 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.125883102 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.126013994 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.126027107 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.127523899 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.154088020 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.224189997 CET5875000578.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.224307060 CET50005587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:38.273317099 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:38.273411036 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:39.512411118 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:39.512547016 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:39.631875038 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:39.940581083 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:39.940711975 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:40.059993029 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.368813992 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.369249105 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:40.488537073 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.817383051 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.817410946 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.817420959 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:40.817501068 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:40.818912029 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:40.938143015 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:41.246611118 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:41.249548912 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:41.369208097 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:41.677859068 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:41.678172112 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:41.797420979 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.106087923 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.106475115 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:42.225692987 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.535284042 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.536588907 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:42.655997992 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.965141058 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:42.967083931 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:43.086374998 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:43.394906998 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:43.395148039 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:43.514568090 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.056216955 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.056637049 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.056718111 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.056799889 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.056858063 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.058504105 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.176307917 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.176320076 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.176347971 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.176387072 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.176426888 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.176455975 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178103924 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178112984 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178147078 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178158045 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178164005 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178183079 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178201914 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178210020 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178232908 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178240061 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178271055 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178301096 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178308964 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178338051 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178350925 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.178451061 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.178493023 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.295886993 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.295902967 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.296000957 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297394991 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297446012 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297494888 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297518015 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297545910 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297573090 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297665119 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297713995 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297724962 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297770023 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297801018 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297827959 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297844887 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297878027 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.297882080 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.297926903 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.340471983 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.340585947 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.415385008 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.415405989 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.415648937 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:44.416912079 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.416997910 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417033911 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417129993 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417171955 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417223930 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417337894 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417455912 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417465925 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417542934 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417553902 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417642117 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417651892 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417710066 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417745113 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417813063 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417823076 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417922020 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417933941 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.417965889 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.418019056 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.418026924 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.418072939 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.418081045 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.459960938 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.459981918 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.534940958 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.534960032 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.535092115 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.535151005 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.535204887 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.535243034 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:44.966464996 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:45.010524035 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.208359957 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.327749014 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:53.636893034 CET5875000678.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:53.637449980 CET50006587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.639089108 CET50007587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.758574009 CET5875000778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:53.758650064 CET50007587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.776007891 CET50007587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.858311892 CET50008587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.895353079 CET5875000778.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:53.895406961 CET50007587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:53.977643013 CET5875000878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:53.977713108 CET50008587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:54.776108980 CET50008587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:54.830106020 CET50009587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:54.896045923 CET5875000878.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:54.896161079 CET50008587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:54.949410915 CET5875000978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:54.949525118 CET50009587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:55.088629961 CET50009587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:55.156352043 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:55.208115101 CET5875000978.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:55.208231926 CET50009587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:55.275810957 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:55.276015997 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:56.494776964 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:56.496330976 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:56.616601944 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:57.001286030 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:57.002561092 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:57.122704983 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:57.506724119 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:57.585170984 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:57.705724001 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.103037119 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.103061914 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.103074074 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.103095055 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:58.105262995 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:58.225836992 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.611648083 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:58.613977909 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:58.733697891 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:59.108582020 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:59.108787060 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:59.228039026 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:59.596240997 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:38:59.596544027 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:38:59.715893030 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:00.118581057 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:00.118757963 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:00.238193035 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:00.634366035 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:00.713452101 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:01.358416080 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:01.361592054 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:01.402019978 CET50011587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:01.477935076 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:01.481162071 CET5875001078.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:01.481230974 CET50010587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:01.521410942 CET5875001178.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:01.521547079 CET50011587192.168.2.678.128.60.169
                                                                  Dec 10, 2024 09:39:02.766436100 CET5875001178.128.60.169192.168.2.6
                                                                  Dec 10, 2024 09:39:02.807137012 CET50011587192.168.2.678.128.60.169

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 09:34:55.573309898 CET6478853192.168.2.61.1.1.1
                                                                  Dec 10, 2024 09:34:55.711154938 CET53647881.1.1.1192.168.2.6
                                                                  Dec 10, 2024 09:34:58.403812885 CET6074453192.168.2.61.1.1.1
                                                                  Dec 10, 2024 09:34:59.373197079 CET53607441.1.1.1192.168.2.6

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 09:34:55.573309898 CET192.168.2.61.1.1.10x1886Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 09:34:58.403812885 CET192.168.2.61.1.1.10xaf84Standard query (0)mail.naubahar.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 09:34:55.711154938 CET1.1.1.1192.168.2.60x1886No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 09:34:55.711154938 CET1.1.1.1192.168.2.60x1886No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 09:34:55.711154938 CET1.1.1.1192.168.2.60x1886No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 09:34:59.373197079 CET1.1.1.1192.168.2.60xaf84No error (0)mail.naubahar.comnaubahar.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 10, 2024 09:34:59.373197079 CET1.1.1.1192.168.2.60xaf84No error (0)naubahar.com78.128.60.169A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • api.ipify.org

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.649707104.26.12.205443432C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-10 08:34:56 UTC155OUTGET / HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                  Host: api.ipify.org
                                                                  Connection: Keep-Alive
                                                                  2024-12-10 08:34:57 UTC424INHTTP/1.1 200 OK
                                                                  Date: Tue, 10 Dec 2024 08:34:57 GMT
                                                                  Content-Type: text/plain
                                                                  Content-Length: 12
                                                                  Connection: close
                                                                  Vary: Origin
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Server: cloudflare
                                                                  CF-RAY: 8efbe6139a7c6a5b-EWR
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1692&rtt_var=670&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1589548&cwnd=199&unsent_bytes=0&cid=4cf66761e3896ffe&ts=446&x=0"
                                                                  2024-12-10 08:34:57 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 32
                                                                  Data Ascii: 8.46.123.182


                                                                  SMTP Packets

                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                  Dec 10, 2024 09:35:00.747370958 CET5874970878.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:35:00 +0500
                                                                  Dec 10, 2024 09:35:00.748878956 CET49708587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:35:01.177310944 CET5874970878.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:35:01.177520037 CET49708587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:35:01.616627932 CET5874970878.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:36:37.362186909 CET5874992978.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:36:37 +0500
                                                                  Dec 10, 2024 09:36:37.365408897 CET49929587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:36:37.793283939 CET5874992978.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:36:37.793457985 CET49929587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:36:38.222163916 CET5874992978.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:36:50.366154909 CET5874996078.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:36:50 +0500
                                                                  Dec 10, 2024 09:36:50.366305113 CET49960587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:36:50.792860985 CET5874996078.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:36:50.793035030 CET49960587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:36:51.220717907 CET5874996078.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:11.825521946 CET5874999078.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:11 +0500
                                                                  Dec 10, 2024 09:37:11.825673103 CET49990587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:12.254170895 CET5874999078.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:12.257154942 CET49990587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:12.685973883 CET5874999078.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:20.953710079 CET5874999278.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:20 +0500
                                                                  Dec 10, 2024 09:37:20.953907013 CET49992587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:21.381649017 CET5874999278.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:21.381777048 CET49992587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:21.810524940 CET5874999278.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:27.589298010 CET5874999378.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:27 +0500
                                                                  Dec 10, 2024 09:37:27.589447975 CET49993587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:28.019423962 CET5874999378.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:28.019578934 CET49993587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:28.447931051 CET5874999378.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:34.981239080 CET5874999578.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:34 +0500
                                                                  Dec 10, 2024 09:37:34.986877918 CET49995587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:35.025326967 CET5874999678.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:34 +0500
                                                                  Dec 10, 2024 09:37:35.030903101 CET49996587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:35.414370060 CET5874999578.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:35.414499044 CET49995587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:35.458697081 CET5874999678.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:35.458862066 CET49996587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:35.842541933 CET5874999578.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:35.887155056 CET5874999678.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:37.465369940 CET5874999778.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:37 +0500
                                                                  Dec 10, 2024 09:37:37.465598106 CET49997587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:37.904161930 CET5874999778.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:37.904315948 CET49997587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:38.333336115 CET5874999778.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:37:56.617429972 CET5874999878.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:37:56 +0500
                                                                  Dec 10, 2024 09:37:56.617717028 CET49998587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:37:57.045097113 CET5874999878.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:37:57.045295954 CET49998587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:37:57.473283052 CET5874999878.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:00.701571941 CET5874999978.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:00 +0500
                                                                  Dec 10, 2024 09:38:00.701745033 CET49999587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:01.073045015 CET5874999978.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:00 +0500
                                                                  Dec 10, 2024 09:38:01.073163033 CET49999587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:01.432550907 CET49999587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:01.457278967 CET5874999978.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:00 +0500
                                                                  Dec 10, 2024 09:38:02.729343891 CET5875000078.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:02 +0500
                                                                  Dec 10, 2024 09:38:02.729537010 CET50000587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:03.157989025 CET5875000078.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:03.160815001 CET50000587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:03.589622974 CET5875000078.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:14.885335922 CET5875000278.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:14 +0500
                                                                  Dec 10, 2024 09:38:14.886981010 CET50002587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:15.314865112 CET5875000278.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:15.319133043 CET50002587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:15.748066902 CET5875000278.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:29.765136957 CET5875000378.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:29 +0500
                                                                  Dec 10, 2024 09:38:29.765280962 CET50003587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:30.193363905 CET5875000378.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:30.193559885 CET50003587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:30.622216940 CET5875000378.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:33.324577093 CET5875000578.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:32 +0500
                                                                  Dec 10, 2024 09:38:33.324786901 CET50005587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:33.751851082 CET5875000578.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:33.751987934 CET50005587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:34.179414034 CET5875000578.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:39.512411118 CET5875000678.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:39 +0500
                                                                  Dec 10, 2024 09:38:39.512547016 CET50006587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:39.940581083 CET5875000678.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [8.46.123.182]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:39.940711975 CET50006587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:40.368813992 CET5875000678.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:38:56.494776964 CET5875001078.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:38:56 +0500
                                                                  Dec 10, 2024 09:38:56.496330976 CET50010587192.168.2.678.128.60.169EHLO 927537
                                                                  Dec 10, 2024 09:38:57.001286030 CET5875001078.128.60.169192.168.2.6250-cloud-99eaf2.managed-vps.net Hello 927537 [70.92.184.240]
                                                                  250-SIZE 52428800
                                                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                  250-8BITMIME
                                                                  250-PIPELINING
                                                                  250-PIPECONNECT
                                                                  250-AUTH LOGIN PLAIN
                                                                  250-CHUNKING
                                                                  250-STARTTLS
                                                                  250 HELP
                                                                  Dec 10, 2024 09:38:57.002561092 CET50010587192.168.2.678.128.60.169STARTTLS
                                                                  Dec 10, 2024 09:38:57.506724119 CET5875001078.128.60.169192.168.2.6220 TLS go ahead
                                                                  Dec 10, 2024 09:39:02.766436100 CET5875001178.128.60.169192.168.2.6220 cloud-99eaf2.managed-vps.net ESMTP Exim 4.98 Tue, 10 Dec 2024 13:39:02 +0500

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:03:34:52
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"
                                                                  Imagebase:0x7d0000
                                                                  File size:1'065'984 bytes
                                                                  MD5 hash:C40B747E2E9780944A16EA7F1DA5BB2F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2101572513.00000000010F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:03:34:53
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\Statement 2024-11-29 (K07234).exe"
                                                                  Imagebase:0x190000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4559205674.000000000251B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4557900944.0000000000562000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:3
                                                                  Start time:03:35:06
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\My App\My App.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\My App\My App.exe"
                                                                  Imagebase:0xb00000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:03:35:06
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:03:35:14
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\AppData\Roaming\My App\My App.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\My App\My App.exe"
                                                                  Imagebase:0x5f0000
                                                                  File size:45'984 bytes
                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:03:35:15
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:3.9%
                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                    Signature Coverage:6.8%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:169
                                                                    execution_graph 101088 7d107d 101093 7d708b 101088->101093 101090 7d108c 101124 7f2d40 101090->101124 101094 7d709b __ftell_nolock 101093->101094 101127 7d7667 101094->101127 101098 7d715a 101139 7f050b 101098->101139 101105 7d7667 59 API calls 101106 7d718b 101105->101106 101158 7d7d8c 101106->101158 101108 7d7194 RegOpenKeyExW 101109 80e8b1 RegQueryValueExW 101108->101109 101113 7d71b6 Mailbox 101108->101113 101110 80e943 RegCloseKey 101109->101110 101111 80e8ce 101109->101111 101110->101113 101123 80e955 _wcscat Mailbox __wsetenvp 101110->101123 101162 7f0db6 101111->101162 101113->101090 101114 80e8e7 101172 7d522e 101114->101172 101115 7d79f2 59 API calls 101115->101123 101118 80e90f 101175 7d7bcc 101118->101175 101120 80e929 101120->101110 101122 7d3f74 59 API calls 101122->101123 101123->101113 101123->101115 101123->101122 101184 7d7de1 101123->101184 101249 7f2c44 101124->101249 101126 7d1096 101128 7f0db6 Mailbox 59 API calls 101127->101128 101129 7d7688 101128->101129 101130 7f0db6 Mailbox 59 API calls 101129->101130 101131 7d7151 101130->101131 101132 7d4706 101131->101132 101188 801940 101132->101188 101135 7d7de1 59 API calls 101136 7d4739 101135->101136 101190 7d4750 101136->101190 101138 7d4743 Mailbox 101138->101098 101140 801940 __ftell_nolock 101139->101140 101141 7f0518 GetFullPathNameW 101140->101141 101142 7f053a 101141->101142 101143 7d7bcc 59 API calls 101142->101143 101144 7d7165 101143->101144 101145 7d7cab 101144->101145 101146 7d7cbf 101145->101146 101147 80ed4a 101145->101147 101212 7d7c50 101146->101212 101217 7d8029 101147->101217 101150 7d7173 101152 7d3f74 101150->101152 101151 80ed55 __wsetenvp _memmove 101153 7d3f82 101152->101153 101157 7d3fa4 _memmove 101152->101157 101155 7f0db6 Mailbox 59 API calls 101153->101155 101154 7f0db6 Mailbox 59 API calls 101156 7d3fb8 101154->101156 101155->101157 101156->101105 101157->101154 101159 7d7da6 101158->101159 101161 7d7d99 101158->101161 101160 7f0db6 Mailbox 59 API calls 101159->101160 101160->101161 101161->101108 101164 7f0dbe 101162->101164 101165 7f0dd8 101164->101165 101167 7f0ddc std::exception::exception 101164->101167 101220 7f571c 101164->101220 101237 7f33a1 DecodePointer 101164->101237 101165->101114 101238 7f859b RaiseException 101167->101238 101169 7f0e06 101239 7f84d1 58 API calls _free 101169->101239 101171 7f0e18 101171->101114 101173 7f0db6 Mailbox 59 API calls 101172->101173 101174 7d5240 RegQueryValueExW 101173->101174 101174->101118 101174->101120 101176 7d7bd8 __wsetenvp 101175->101176 101177 7d7c45 101175->101177 101179 7d7bee 101176->101179 101180 7d7c13 101176->101180 101178 7d7d2c 59 API calls 101177->101178 101183 7d7bf6 _memmove 101178->101183 101248 7d7f27 59 API calls Mailbox 101179->101248 101182 7d8029 59 API calls 101180->101182 101182->101183 101183->101120 101185 7d7df0 __wsetenvp _memmove 101184->101185 101186 7f0db6 Mailbox 59 API calls 101185->101186 101187 7d7e2e 101186->101187 101187->101123 101189 7d4713 GetModuleFileNameW 101188->101189 101189->101135 101191 801940 __ftell_nolock 101190->101191 101192 7d475d GetFullPathNameW 101191->101192 101193 7d477c 101192->101193 101194 7d4799 101192->101194 101195 7d7bcc 59 API calls 101193->101195 101196 7d7d8c 59 API calls 101194->101196 101197 7d4788 101195->101197 101196->101197 101200 7d7726 101197->101200 101201 7d7734 101200->101201 101204 7d7d2c 101201->101204 101203 7d4794 101203->101138 101205 7d7d3a 101204->101205 101206 7d7d43 _memmove 101204->101206 101205->101206 101208 7d7e4f 101205->101208 101206->101203 101209 7d7e62 101208->101209 101211 7d7e5f _memmove 101208->101211 101210 7f0db6 Mailbox 59 API calls 101209->101210 101210->101211 101211->101206 101213 7d7c5f __wsetenvp 101212->101213 101214 7d8029 59 API calls 101213->101214 101215 7d7c70 _memmove 101213->101215 101216 80ed07 _memmove 101214->101216 101215->101150 101218 7f0db6 Mailbox 59 API calls 101217->101218 101219 7d8033 101218->101219 101219->101151 101221 7f5797 101220->101221 101225 7f5728 101220->101225 101246 7f33a1 DecodePointer 101221->101246 101223 7f579d 101247 7f8b28 58 API calls __getptd_noexit 101223->101247 101224 7f5733 101224->101225 101240 7fa16b 58 API calls __NMSG_WRITE 101224->101240 101241 7fa1c8 58 API calls 7 library calls 101224->101241 101242 7f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101224->101242 101225->101224 101228 7f575b RtlAllocateHeap 101225->101228 101231 7f5783 101225->101231 101235 7f5781 101225->101235 101243 7f33a1 DecodePointer 101225->101243 101228->101225 101229 7f578f 101228->101229 101229->101164 101244 7f8b28 58 API calls __getptd_noexit 101231->101244 101245 7f8b28 58 API calls __getptd_noexit 101235->101245 101237->101164 101238->101169 101239->101171 101240->101224 101241->101224 101243->101225 101244->101235 101245->101229 101246->101223 101247->101229 101248->101183 101250 7f2c50 __close 101249->101250 101257 7f3217 101250->101257 101256 7f2c77 __close 101256->101126 101274 7f9c0b 101257->101274 101259 7f2c59 101260 7f2c88 DecodePointer DecodePointer 101259->101260 101261 7f2c65 101260->101261 101262 7f2cb5 101260->101262 101271 7f2c82 101261->101271 101262->101261 101320 7f87a4 59 API calls ___wstrgtold12_l 101262->101320 101264 7f2d18 EncodePointer EncodePointer 101264->101261 101265 7f2cc7 101265->101264 101266 7f2cec 101265->101266 101321 7f8864 61 API calls 2 library calls 101265->101321 101266->101261 101269 7f2d06 EncodePointer 101266->101269 101322 7f8864 61 API calls 2 library calls 101266->101322 101269->101264 101270 7f2d00 101270->101261 101270->101269 101323 7f3220 101271->101323 101275 7f9c2f EnterCriticalSection 101274->101275 101276 7f9c1c 101274->101276 101275->101259 101281 7f9c93 101276->101281 101278 7f9c22 101278->101275 101305 7f30b5 58 API calls 3 library calls 101278->101305 101282 7f9c9f __close 101281->101282 101283 7f9ca8 101282->101283 101284 7f9cc0 101282->101284 101306 7fa16b 58 API calls __NMSG_WRITE 101283->101306 101292 7f9ce1 __close 101284->101292 101309 7f881d 58 API calls __malloc_crt 101284->101309 101286 7f9cad 101307 7fa1c8 58 API calls 7 library calls 101286->101307 101288 7f9cd5 101290 7f9cdc 101288->101290 101291 7f9ceb 101288->101291 101310 7f8b28 58 API calls __getptd_noexit 101290->101310 101295 7f9c0b __lock 58 API calls 101291->101295 101292->101278 101293 7f9cb4 101308 7f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101293->101308 101297 7f9cf2 101295->101297 101299 7f9cff 101297->101299 101300 7f9d17 101297->101300 101311 7f9e2b InitializeCriticalSectionAndSpinCount 101299->101311 101312 7f2d55 101300->101312 101303 7f9d0b 101318 7f9d33 LeaveCriticalSection _doexit 101303->101318 101306->101286 101307->101293 101309->101288 101310->101292 101311->101303 101313 7f2d5e RtlFreeHeap 101312->101313 101314 7f2d87 _free 101312->101314 101313->101314 101315 7f2d73 101313->101315 101314->101303 101319 7f8b28 58 API calls __getptd_noexit 101315->101319 101317 7f2d79 GetLastError 101317->101314 101318->101292 101319->101317 101320->101265 101321->101266 101322->101270 101326 7f9d75 LeaveCriticalSection 101323->101326 101325 7f2c87 101325->101256 101326->101325 101327 7de5ab 101330 7dd100 101327->101330 101329 7de5b9 101331 7dd11d 101330->101331 101359 7dd37d 101330->101359 101332 812691 101331->101332 101333 8126e0 101331->101333 101362 7dd144 101331->101362 101336 812694 101332->101336 101342 8126af 101332->101342 101402 84a3e6 341 API calls __cinit 101333->101402 101337 8126a0 101336->101337 101336->101362 101400 84a9fa 341 API calls 101337->101400 101338 7f2d40 __cinit 67 API calls 101338->101362 101341 7dd434 101394 7d8a52 68 API calls 101341->101394 101342->101359 101401 84aea2 341 API calls 3 library calls 101342->101401 101343 8128b5 101343->101343 101344 7dd54b 101344->101329 101348 7dd443 101348->101329 101349 8127fc 101410 84a751 89 API calls 101349->101410 101359->101344 101411 839e4a 89 API calls 4 library calls 101359->101411 101362->101338 101362->101341 101362->101344 101362->101349 101362->101359 101364 7d9ea0 101362->101364 101388 7d8740 68 API calls __cinit 101362->101388 101389 7d8542 68 API calls 101362->101389 101390 7d84c0 101362->101390 101395 7d843a 68 API calls 101362->101395 101396 7dcf7c 341 API calls 101362->101396 101397 7d9dda 59 API calls Mailbox 101362->101397 101398 7dcf00 89 API calls 101362->101398 101399 7dcd7d 341 API calls 101362->101399 101403 7d8a52 68 API calls 101362->101403 101404 7d9d3c 60 API calls Mailbox 101362->101404 101405 82678d 60 API calls 101362->101405 101406 7d8047 101362->101406 101365 7d9ebf 101364->101365 101384 7d9eed Mailbox 101364->101384 101366 7f0db6 Mailbox 59 API calls 101365->101366 101366->101384 101367 7db47a 101371 810055 101367->101371 101386 8109e5 101367->101386 101368 7db475 101369 7d8047 59 API calls 101368->101369 101381 7da057 101369->101381 101370 7f0db6 59 API calls Mailbox 101370->101384 101414 839e4a 89 API calls 4 library calls 101371->101414 101375 7f2d40 67 API calls __cinit 101375->101384 101376 7d8047 59 API calls 101376->101384 101377 810064 101377->101362 101379 7d7667 59 API calls 101379->101384 101381->101362 101382 826e8f 59 API calls 101382->101384 101383 8109d6 101416 839e4a 89 API calls 4 library calls 101383->101416 101384->101367 101384->101368 101384->101370 101384->101371 101384->101375 101384->101376 101384->101379 101384->101381 101384->101382 101384->101383 101387 7da55a 101384->101387 101412 7dc8c0 341 API calls 2 library calls 101384->101412 101413 7db900 60 API calls Mailbox 101384->101413 101417 839e4a 89 API calls 4 library calls 101386->101417 101415 839e4a 89 API calls 4 library calls 101387->101415 101388->101362 101389->101362 101391 7d84cb 101390->101391 101393 7d84f2 101391->101393 101418 7d89b3 69 API calls Mailbox 101391->101418 101393->101362 101394->101348 101395->101362 101396->101362 101397->101362 101398->101362 101399->101362 101400->101344 101401->101359 101402->101362 101403->101362 101404->101362 101405->101362 101407 7d805a 101406->101407 101408 7d8052 101406->101408 101407->101362 101419 7d7f77 59 API calls 2 library calls 101408->101419 101410->101359 101411->101343 101412->101384 101413->101384 101414->101377 101415->101381 101416->101386 101417->101381 101418->101393 101419->101407 101420 7d552a 101427 7d5ab8 101420->101427 101426 7d555a Mailbox 101428 7f0db6 Mailbox 59 API calls 101427->101428 101429 7d5acb 101428->101429 101430 7f0db6 Mailbox 59 API calls 101429->101430 101431 7d553c 101430->101431 101432 7d54d2 101431->101432 101446 7d58cf 101432->101446 101434 7d5514 101434->101426 101438 7d8061 MultiByteToWideChar 101434->101438 101436 7d54e3 101436->101434 101453 7d5bc0 101436->101453 101459 7d5a7a 101436->101459 101439 7d80ce 101438->101439 101440 7d8087 101438->101440 101441 7d7d8c 59 API calls 101439->101441 101442 7f0db6 Mailbox 59 API calls 101440->101442 101445 7d80c0 101441->101445 101443 7d809c MultiByteToWideChar 101442->101443 101476 7d774d 59 API calls 2 library calls 101443->101476 101445->101426 101447 80dc3c 101446->101447 101448 7d58e0 101446->101448 101468 825ecd 59 API calls Mailbox 101447->101468 101448->101436 101450 80dc46 101451 7f0db6 Mailbox 59 API calls 101450->101451 101452 80dc52 101451->101452 101454 7d5c33 101453->101454 101458 7d5bce 101453->101458 101469 7d5c4e SetFilePointerEx 101454->101469 101455 7d5bf6 101455->101436 101457 7d5c06 ReadFile 101457->101455 101457->101458 101458->101455 101458->101457 101460 7d5a8e 101459->101460 101461 80dcee 101459->101461 101470 7d59b9 101460->101470 101475 825ecd 59 API calls Mailbox 101461->101475 101464 7d5a9a 101464->101436 101465 80dcf9 101466 7f0db6 Mailbox 59 API calls 101465->101466 101467 80dd0e _memmove 101466->101467 101468->101450 101469->101458 101471 7d59d1 101470->101471 101474 7d59ca _memmove 101470->101474 101472 80dc7e 101471->101472 101473 7f0db6 Mailbox 59 API calls 101471->101473 101473->101474 101474->101464 101475->101465 101476->101445 101477 7d1055 101482 7d2649 101477->101482 101480 7f2d40 __cinit 67 API calls 101481 7d1064 101480->101481 101483 7d7667 59 API calls 101482->101483 101484 7d26b7 101483->101484 101489 7d3582 101484->101489 101486 7d2754 101488 7d105a 101486->101488 101492 7d3416 59 API calls 2 library calls 101486->101492 101488->101480 101493 7d35b0 101489->101493 101492->101486 101494 7d35bd 101493->101494 101496 7d35a1 101493->101496 101495 7d35c4 RegOpenKeyExW 101494->101495 101494->101496 101495->101496 101497 7d35de RegQueryValueExW 101495->101497 101496->101486 101498 7d35ff 101497->101498 101499 7d3614 RegCloseKey 101497->101499 101498->101499 101499->101496 101500 7f7c56 101501 7f7c62 __close 101500->101501 101537 7f9e08 GetStartupInfoW 101501->101537 101503 7f7c67 101539 7f8b7c GetProcessHeap 101503->101539 101505 7f7cbf 101506 7f7cca 101505->101506 101622 7f7da6 58 API calls 3 library calls 101505->101622 101540 7f9ae6 101506->101540 101509 7f7cd0 101510 7f7cdb __RTC_Initialize 101509->101510 101623 7f7da6 58 API calls 3 library calls 101509->101623 101561 7fd5d2 101510->101561 101513 7f7cea 101514 7f7cf6 GetCommandLineW 101513->101514 101624 7f7da6 58 API calls 3 library calls 101513->101624 101580 804f23 GetEnvironmentStringsW 101514->101580 101517 7f7cf5 101517->101514 101520 7f7d10 101521 7f7d1b 101520->101521 101625 7f30b5 58 API calls 3 library calls 101520->101625 101590 804d58 101521->101590 101524 7f7d21 101525 7f7d2c 101524->101525 101626 7f30b5 58 API calls 3 library calls 101524->101626 101604 7f30ef 101525->101604 101528 7f7d34 101529 7f7d3f __wwincmdln 101528->101529 101627 7f30b5 58 API calls 3 library calls 101528->101627 101610 7d47d0 101529->101610 101532 7f7d53 101533 7f7d62 101532->101533 101628 7f3358 58 API calls _doexit 101532->101628 101629 7f30e0 58 API calls _doexit 101533->101629 101536 7f7d67 __close 101538 7f9e1e 101537->101538 101538->101503 101539->101505 101630 7f3187 36 API calls 2 library calls 101540->101630 101542 7f9aeb 101631 7f9d3c InitializeCriticalSectionAndSpinCount __ioinit 101542->101631 101544 7f9af0 101545 7f9af4 101544->101545 101633 7f9d8a TlsAlloc 101544->101633 101632 7f9b5c 61 API calls 2 library calls 101545->101632 101548 7f9b06 101548->101545 101550 7f9b11 101548->101550 101549 7f9af9 101549->101509 101634 7f87d5 101550->101634 101553 7f9b53 101642 7f9b5c 61 API calls 2 library calls 101553->101642 101556 7f9b32 101556->101553 101558 7f9b38 101556->101558 101557 7f9b58 101557->101509 101641 7f9a33 58 API calls 4 library calls 101558->101641 101560 7f9b40 GetCurrentThreadId 101560->101509 101562 7fd5de __close 101561->101562 101563 7f9c0b __lock 58 API calls 101562->101563 101564 7fd5e5 101563->101564 101565 7f87d5 __calloc_crt 58 API calls 101564->101565 101568 7fd5f6 101565->101568 101566 7fd601 __close @_EH4_CallFilterFunc@8 101566->101513 101567 7fd661 GetStartupInfoW 101573 7fd676 101567->101573 101577 7fd7a5 101567->101577 101568->101566 101568->101567 101569 7fd86d 101656 7fd87d LeaveCriticalSection _doexit 101569->101656 101571 7f87d5 __calloc_crt 58 API calls 101571->101573 101572 7fd7f2 GetStdHandle 101572->101577 101573->101571 101576 7fd6c4 101573->101576 101573->101577 101574 7fd805 GetFileType 101574->101577 101575 7fd6f8 GetFileType 101575->101576 101576->101575 101576->101577 101654 7f9e2b InitializeCriticalSectionAndSpinCount 101576->101654 101577->101569 101577->101572 101577->101574 101655 7f9e2b InitializeCriticalSectionAndSpinCount 101577->101655 101581 7f7d06 101580->101581 101582 804f34 101580->101582 101586 804b1b GetModuleFileNameW 101581->101586 101582->101582 101657 7f881d 58 API calls __malloc_crt 101582->101657 101584 804f5a _memmove 101585 804f70 FreeEnvironmentStringsW 101584->101585 101585->101581 101587 804b4f _wparse_cmdline 101586->101587 101589 804b8f _wparse_cmdline 101587->101589 101658 7f881d 58 API calls __malloc_crt 101587->101658 101589->101520 101591 804d71 __wsetenvp 101590->101591 101595 804d69 101590->101595 101592 7f87d5 __calloc_crt 58 API calls 101591->101592 101600 804d9a __wsetenvp 101592->101600 101593 804df1 101594 7f2d55 _free 58 API calls 101593->101594 101594->101595 101595->101524 101596 7f87d5 __calloc_crt 58 API calls 101596->101600 101597 804e16 101598 7f2d55 _free 58 API calls 101597->101598 101598->101595 101600->101593 101600->101595 101600->101596 101600->101597 101601 804e2d 101600->101601 101659 804607 58 API calls ___wstrgtold12_l 101600->101659 101660 7f8dc6 IsProcessorFeaturePresent 101601->101660 101603 804e39 101603->101524 101605 7f30fb __IsNonwritableInCurrentImage 101604->101605 101683 7fa4d1 101605->101683 101607 7f3119 __initterm_e 101608 7f2d40 __cinit 67 API calls 101607->101608 101609 7f3138 _doexit __IsNonwritableInCurrentImage 101607->101609 101608->101609 101609->101528 101611 7d47ea 101610->101611 101621 7d4889 101610->101621 101612 7d4824 IsThemeActive 101611->101612 101686 7f336c 101612->101686 101616 7d4850 101698 7d48fd SystemParametersInfoW SystemParametersInfoW 101616->101698 101618 7d485c 101699 7d3b3a 101618->101699 101620 7d4864 SystemParametersInfoW 101620->101621 101621->101532 101622->101506 101623->101510 101624->101517 101628->101533 101629->101536 101630->101542 101631->101544 101632->101549 101633->101548 101635 7f87dc 101634->101635 101637 7f8817 101635->101637 101639 7f87fa 101635->101639 101643 8051f6 101635->101643 101637->101553 101640 7f9de6 TlsSetValue 101637->101640 101639->101635 101639->101637 101651 7fa132 Sleep 101639->101651 101640->101556 101641->101560 101642->101557 101644 805201 101643->101644 101649 80521c 101643->101649 101645 80520d 101644->101645 101644->101649 101652 7f8b28 58 API calls __getptd_noexit 101645->101652 101647 80522c HeapAlloc 101648 805212 101647->101648 101647->101649 101648->101635 101649->101647 101649->101648 101653 7f33a1 DecodePointer 101649->101653 101651->101639 101652->101648 101653->101649 101654->101576 101655->101577 101656->101566 101657->101584 101658->101589 101659->101600 101661 7f8dd1 101660->101661 101666 7f8c59 101661->101666 101665 7f8dec 101665->101603 101667 7f8c73 _memset __call_reportfault 101666->101667 101668 7f8c93 IsDebuggerPresent 101667->101668 101674 7fa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101668->101674 101671 7f8d57 __call_reportfault 101675 7fc5f6 101671->101675 101672 7f8d7a 101673 7fa140 GetCurrentProcess TerminateProcess 101672->101673 101673->101665 101674->101671 101676 7fc5fe 101675->101676 101677 7fc600 IsProcessorFeaturePresent 101675->101677 101676->101672 101679 80590a 101677->101679 101682 8058b9 5 API calls 2 library calls 101679->101682 101681 8059ed 101681->101672 101682->101681 101684 7fa4d4 EncodePointer 101683->101684 101684->101684 101685 7fa4ee 101684->101685 101685->101607 101687 7f9c0b __lock 58 API calls 101686->101687 101688 7f3377 DecodePointer EncodePointer 101687->101688 101751 7f9d75 LeaveCriticalSection 101688->101751 101690 7d4849 101691 7f33d4 101690->101691 101692 7f33de 101691->101692 101693 7f33f8 101691->101693 101692->101693 101752 7f8b28 58 API calls __getptd_noexit 101692->101752 101693->101616 101695 7f33e8 101753 7f8db6 9 API calls ___wstrgtold12_l 101695->101753 101697 7f33f3 101697->101616 101698->101618 101700 7d3b47 __ftell_nolock 101699->101700 101701 7d7667 59 API calls 101700->101701 101702 7d3b51 GetCurrentDirectoryW 101701->101702 101754 7d3766 101702->101754 101704 7d3b7a IsDebuggerPresent 101705 80d272 MessageBoxA 101704->101705 101706 7d3b88 101704->101706 101708 80d28c 101705->101708 101706->101708 101709 7d3ba5 101706->101709 101738 7d3c61 101706->101738 101707 7d3c68 SetCurrentDirectoryW 101712 7d3c75 Mailbox 101707->101712 101964 7d7213 59 API calls Mailbox 101708->101964 101835 7d7285 101709->101835 101712->101620 101713 80d29c 101718 80d2b2 SetCurrentDirectoryW 101713->101718 101715 7d3bc3 GetFullPathNameW 101716 7d7bcc 59 API calls 101715->101716 101717 7d3bfe 101716->101717 101851 7e092d 101717->101851 101718->101712 101721 7d3c1c 101722 7d3c26 101721->101722 101965 82874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101721->101965 101867 7d3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101722->101867 101725 80d2cf 101725->101722 101729 80d2e0 101725->101729 101728 7d3c30 101730 7d3c43 101728->101730 101875 7d434a 101728->101875 101731 7d4706 61 API calls 101729->101731 101886 7e09d0 101730->101886 101732 80d2e8 101731->101732 101735 7d7de1 59 API calls 101732->101735 101737 80d2f5 101735->101737 101739 80d324 101737->101739 101740 80d2ff 101737->101740 101738->101707 101743 7d7cab 59 API calls 101739->101743 101742 7d7cab 59 API calls 101740->101742 101744 80d30a 101742->101744 101745 80d320 GetForegroundWindow ShellExecuteW 101743->101745 101751->101690 101752->101695 101753->101697 101755 7d7667 59 API calls 101754->101755 101756 7d377c 101755->101756 101975 7d3d31 101756->101975 101758 7d379a 101759 7d4706 61 API calls 101758->101759 101760 7d37ae 101759->101760 101761 7d7de1 59 API calls 101760->101761 101762 7d37bb 101761->101762 101989 7d4ddd 101762->101989 101765 7d37dc Mailbox 101770 7d8047 59 API calls 101765->101770 101766 80d173 102052 83955b 101766->102052 101769 80d192 101772 7f2d55 _free 58 API calls 101769->101772 101773 7d37ef 101770->101773 101774 80d19f 101772->101774 102013 7d928a 101773->102013 101776 7d4e4a 84 API calls 101774->101776 101778 80d1a8 101776->101778 101782 7d3ed0 59 API calls 101778->101782 101779 7d7de1 59 API calls 101780 7d3808 101779->101780 101781 7d84c0 69 API calls 101780->101781 101783 7d381a Mailbox 101781->101783 101784 80d1c3 101782->101784 101785 7d7de1 59 API calls 101783->101785 101786 7d3ed0 59 API calls 101784->101786 101787 7d3840 101785->101787 101788 80d1df 101786->101788 101789 7d84c0 69 API calls 101787->101789 101790 7d4706 61 API calls 101788->101790 101792 7d384f Mailbox 101789->101792 101791 80d204 101790->101791 101793 7d3ed0 59 API calls 101791->101793 101795 7d7667 59 API calls 101792->101795 101794 80d210 101793->101794 101796 7d8047 59 API calls 101794->101796 101797 7d386d 101795->101797 101798 80d21e 101796->101798 102016 7d3ed0 101797->102016 101800 7d3ed0 59 API calls 101798->101800 101802 80d22d 101800->101802 101808 7d8047 59 API calls 101802->101808 101804 7d3887 101804->101778 101805 7d3891 101804->101805 101806 7f2efd _W_store_winword 60 API calls 101805->101806 101807 7d389c 101806->101807 101807->101784 101809 7d38a6 101807->101809 101810 80d24f 101808->101810 101811 7f2efd _W_store_winword 60 API calls 101809->101811 101812 7d3ed0 59 API calls 101810->101812 101813 7d38b1 101811->101813 101814 80d25c 101812->101814 101813->101788 101815 7d38bb 101813->101815 101814->101814 101816 7f2efd _W_store_winword 60 API calls 101815->101816 101817 7d38c6 101816->101817 101817->101802 101818 7d3907 101817->101818 101820 7d3ed0 59 API calls 101817->101820 101818->101802 101819 7d3914 101818->101819 102032 7d92ce 101819->102032 101822 7d38ea 101820->101822 101824 7d8047 59 API calls 101822->101824 101826 7d38f8 101824->101826 101828 7d3ed0 59 API calls 101826->101828 101828->101818 101830 7d928a 59 API calls 101832 7d394f 101830->101832 101831 7d8ee0 60 API calls 101831->101832 101832->101830 101832->101831 101833 7d3ed0 59 API calls 101832->101833 101834 7d3995 Mailbox 101832->101834 101833->101832 101834->101704 101836 7d7292 __ftell_nolock 101835->101836 101837 80ea22 _memset 101836->101837 101838 7d72ab 101836->101838 101840 80ea3e GetOpenFileNameW 101837->101840 101839 7d4750 60 API calls 101838->101839 101841 7d72b4 101839->101841 101842 80ea8d 101840->101842 102907 7f0791 101841->102907 101844 7d7bcc 59 API calls 101842->101844 101846 80eaa2 101844->101846 101846->101846 101848 7d72c9 102925 7d686a 101848->102925 101852 7e093a __ftell_nolock 101851->101852 103230 7d6d80 101852->103230 101854 7e093f 101855 7d3c14 101854->101855 103241 7e119e 89 API calls 101854->103241 101855->101713 101855->101721 101857 7e094c 101857->101855 103242 7e3ee7 91 API calls Mailbox 101857->103242 101859 7e0955 101859->101855 101860 7e0959 GetFullPathNameW 101859->101860 101861 7d7bcc 59 API calls 101860->101861 101862 7e0985 101861->101862 101863 7d7bcc 59 API calls 101862->101863 101864 7e0992 101863->101864 101865 814cab _wcscat 101864->101865 101866 7d7bcc 59 API calls 101864->101866 101866->101855 101868 80d261 101867->101868 101869 7d3ab0 LoadImageW RegisterClassExW 101867->101869 103281 7d47a0 LoadImageW EnumResourceNamesW 101868->103281 103280 7d3041 7 API calls 101869->103280 101872 7d3b34 101874 7d39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101872->101874 101873 80d26a 101874->101728 101876 7d4375 _memset 101875->101876 103282 7d4182 101876->103282 101964->101713 101965->101725 101976 7d3d3e __ftell_nolock 101975->101976 101977 7d7bcc 59 API calls 101976->101977 101982 7d3ea4 Mailbox 101976->101982 101979 7d3d70 101977->101979 101988 7d3da6 Mailbox 101979->101988 102093 7d79f2 101979->102093 101980 7d79f2 59 API calls 101980->101988 101981 7d7de1 59 API calls 101985 7d3e98 101981->101985 101982->101758 101983 7d3e77 101983->101981 101983->101982 101984 7d7de1 59 API calls 101984->101988 101986 7d3f74 59 API calls 101985->101986 101986->101982 101987 7d3f74 59 API calls 101987->101988 101988->101980 101988->101982 101988->101983 101988->101984 101988->101987 102096 7d4bb5 101989->102096 101994 7d4e08 LoadLibraryExW 102106 7d4b6a 101994->102106 101995 80d8e6 101996 7d4e4a 84 API calls 101995->101996 101998 80d8ed 101996->101998 102000 7d4b6a 3 API calls 101998->102000 102003 80d8f5 102000->102003 102002 7d4e2f 102002->102003 102004 7d4e3b 102002->102004 102132 7d4f0b 102003->102132 102005 7d4e4a 84 API calls 102004->102005 102007 7d37d4 102005->102007 102007->101765 102007->101766 102010 80d91c 102140 7d4ec7 102010->102140 102012 80d929 102014 7f0db6 Mailbox 59 API calls 102013->102014 102015 7d37fb 102014->102015 102015->101779 102017 7d3eda 102016->102017 102018 7d3ef3 102016->102018 102019 7d8047 59 API calls 102017->102019 102020 7d7bcc 59 API calls 102018->102020 102021 7d3879 102019->102021 102020->102021 102022 7f2efd 102021->102022 102023 7f2f7e 102022->102023 102024 7f2f09 102022->102024 102569 7f2f90 60 API calls 3 library calls 102023->102569 102031 7f2f2e 102024->102031 102567 7f8b28 58 API calls __getptd_noexit 102024->102567 102026 7f2f8b 102026->101804 102028 7f2f15 102568 7f8db6 9 API calls ___wstrgtold12_l 102028->102568 102030 7f2f20 102030->101804 102031->101804 102033 7d92d6 102032->102033 102034 7f0db6 Mailbox 59 API calls 102033->102034 102035 7d92e4 102034->102035 102036 7d3924 102035->102036 102570 7d91fc 59 API calls Mailbox 102035->102570 102038 7d9050 102036->102038 102571 7d9160 102038->102571 102040 7d905f 102041 7f0db6 Mailbox 59 API calls 102040->102041 102042 7d3932 102040->102042 102041->102042 102043 7d8ee0 102042->102043 102044 80f17c 102043->102044 102048 7d8ef7 102043->102048 102044->102048 102581 7d8bdb 59 API calls Mailbox 102044->102581 102046 7d8ff8 102049 7f0db6 Mailbox 59 API calls 102046->102049 102047 7d9040 102580 7d9d3c 60 API calls Mailbox 102047->102580 102048->102046 102048->102047 102051 7d8fff 102048->102051 102049->102051 102051->101832 102053 7d4ee5 85 API calls 102052->102053 102054 8395ca 102053->102054 102582 839734 102054->102582 102057 7d4f0b 74 API calls 102058 8395f7 102057->102058 102059 7d4f0b 74 API calls 102058->102059 102060 839607 102059->102060 102061 7d4f0b 74 API calls 102060->102061 102062 839622 102061->102062 102063 7d4f0b 74 API calls 102062->102063 102064 83963d 102063->102064 102065 7d4ee5 85 API calls 102064->102065 102066 839654 102065->102066 102067 7f571c __malloc_crt 58 API calls 102066->102067 102068 83965b 102067->102068 102069 7f571c __malloc_crt 58 API calls 102068->102069 102070 839665 102069->102070 102071 7d4f0b 74 API calls 102070->102071 102072 839679 102071->102072 102073 839109 GetSystemTimeAsFileTime 102072->102073 102074 83968c 102073->102074 102075 8396a1 102074->102075 102076 8396b6 102074->102076 102077 7f2d55 _free 58 API calls 102075->102077 102078 83971b 102076->102078 102079 8396bc 102076->102079 102081 8396a7 102077->102081 102080 7f2d55 _free 58 API calls 102078->102080 102588 838b06 102079->102588 102085 80d186 102080->102085 102083 7f2d55 _free 58 API calls 102081->102083 102083->102085 102085->101769 102087 7d4e4a 102085->102087 102086 7f2d55 _free 58 API calls 102086->102085 102088 7d4e54 102087->102088 102092 7d4e5b 102087->102092 102089 7f53a6 __fcloseall 83 API calls 102088->102089 102089->102092 102090 7d4e7b FreeLibrary 102091 7d4e6a 102090->102091 102091->101769 102092->102090 102092->102091 102094 7d7e4f 59 API calls 102093->102094 102095 7d79fd 102094->102095 102095->101979 102145 7d4c03 102096->102145 102099 7d4c03 2 API calls 102102 7d4bdc 102099->102102 102100 7d4bec FreeLibrary 102101 7d4bf5 102100->102101 102103 7f525b 102101->102103 102102->102100 102102->102101 102149 7f5270 102103->102149 102105 7d4dfc 102105->101994 102105->101995 102307 7d4c36 102106->102307 102109 7d4b8f 102110 7d4baa 102109->102110 102111 7d4ba1 FreeLibrary 102109->102111 102113 7d4c70 102110->102113 102111->102110 102112 7d4c36 2 API calls 102112->102109 102114 7f0db6 Mailbox 59 API calls 102113->102114 102115 7d4c85 102114->102115 102116 7d522e 59 API calls 102115->102116 102117 7d4c91 _memmove 102116->102117 102118 7d4ccc 102117->102118 102119 7d4d89 102117->102119 102120 7d4dc1 102117->102120 102121 7d4ec7 69 API calls 102118->102121 102311 7d4e89 CreateStreamOnHGlobal 102119->102311 102322 83991b 95 API calls 102120->102322 102127 7d4cd5 102121->102127 102124 7d4f0b 74 API calls 102124->102127 102126 7d4d69 102126->102002 102127->102124 102127->102126 102128 80d8a7 102127->102128 102317 7d4ee5 102127->102317 102129 7d4ee5 85 API calls 102128->102129 102130 80d8bb 102129->102130 102131 7d4f0b 74 API calls 102130->102131 102131->102126 102133 7d4f1d 102132->102133 102134 80d9cd 102132->102134 102346 7f55e2 102133->102346 102137 839109 102544 838f5f 102137->102544 102139 83911f 102139->102010 102141 7d4ed6 102140->102141 102144 80d990 102140->102144 102549 7f5c60 102141->102549 102143 7d4ede 102143->102012 102146 7d4bd0 102145->102146 102147 7d4c0c LoadLibraryA 102145->102147 102146->102099 102146->102102 102147->102146 102148 7d4c1d GetProcAddress 102147->102148 102148->102146 102151 7f527c __close 102149->102151 102150 7f528f 102198 7f8b28 58 API calls __getptd_noexit 102150->102198 102151->102150 102154 7f52c0 102151->102154 102153 7f5294 102199 7f8db6 9 API calls ___wstrgtold12_l 102153->102199 102168 8004e8 102154->102168 102157 7f52c5 102158 7f52ce 102157->102158 102159 7f52db 102157->102159 102200 7f8b28 58 API calls __getptd_noexit 102158->102200 102161 7f5305 102159->102161 102162 7f52e5 102159->102162 102183 800607 102161->102183 102201 7f8b28 58 API calls __getptd_noexit 102162->102201 102165 7f529f __close @_EH4_CallFilterFunc@8 102165->102105 102169 8004f4 __close 102168->102169 102170 7f9c0b __lock 58 API calls 102169->102170 102180 800502 102170->102180 102171 80057d 102208 7f881d 58 API calls __malloc_crt 102171->102208 102174 8005f3 __close 102174->102157 102175 800584 102181 800576 102175->102181 102209 7f9e2b InitializeCriticalSectionAndSpinCount 102175->102209 102177 7f9c93 __mtinitlocknum 58 API calls 102177->102180 102179 8005aa EnterCriticalSection 102179->102181 102180->102171 102180->102177 102180->102181 102206 7f6c50 59 API calls __lock 102180->102206 102207 7f6cba LeaveCriticalSection LeaveCriticalSection _doexit 102180->102207 102203 8005fe 102181->102203 102191 800627 __wopenfile 102183->102191 102184 800641 102214 7f8b28 58 API calls __getptd_noexit 102184->102214 102186 8007fc 102186->102184 102190 80085f 102186->102190 102187 800646 102215 7f8db6 9 API calls ___wstrgtold12_l 102187->102215 102189 7f5310 102202 7f5332 LeaveCriticalSection LeaveCriticalSection _fseek 102189->102202 102211 8085a1 102190->102211 102191->102184 102191->102186 102216 7f37cb 60 API calls 2 library calls 102191->102216 102194 8007f5 102194->102186 102217 7f37cb 60 API calls 2 library calls 102194->102217 102196 800814 102196->102186 102218 7f37cb 60 API calls 2 library calls 102196->102218 102198->102153 102199->102165 102200->102165 102201->102165 102202->102165 102210 7f9d75 LeaveCriticalSection 102203->102210 102205 800605 102205->102174 102206->102180 102207->102180 102208->102175 102209->102179 102210->102205 102219 807d85 102211->102219 102213 8085ba 102213->102189 102214->102187 102215->102189 102216->102194 102217->102196 102218->102186 102220 807d91 __close 102219->102220 102221 807da7 102220->102221 102223 807ddd 102220->102223 102304 7f8b28 58 API calls __getptd_noexit 102221->102304 102230 807e4e 102223->102230 102224 807dac 102305 7f8db6 9 API calls ___wstrgtold12_l 102224->102305 102227 807df9 102306 807e22 LeaveCriticalSection __unlock_fhandle 102227->102306 102229 807db6 __close 102229->102213 102231 807e6e 102230->102231 102232 7f44ea __wsopen_nolock 58 API calls 102231->102232 102235 807e8a 102232->102235 102233 7f8dc6 __invoke_watson 8 API calls 102234 8085a0 102233->102234 102237 807d85 __wsopen_helper 103 API calls 102234->102237 102236 807ec4 102235->102236 102244 807ee7 102235->102244 102303 807fc1 102235->102303 102239 7f8af4 __close 58 API calls 102236->102239 102238 8085ba 102237->102238 102238->102227 102240 807ec9 102239->102240 102241 7f8b28 ___wstrgtold12_l 58 API calls 102240->102241 102242 807ed6 102241->102242 102245 7f8db6 ___wstrgtold12_l 9 API calls 102242->102245 102243 807fa5 102246 7f8af4 __close 58 API calls 102243->102246 102244->102243 102251 807f83 102244->102251 102247 807ee0 102245->102247 102248 807faa 102246->102248 102247->102227 102249 7f8b28 ___wstrgtold12_l 58 API calls 102248->102249 102250 807fb7 102249->102250 102252 7f8db6 ___wstrgtold12_l 9 API calls 102250->102252 102253 7fd294 __alloc_osfhnd 61 API calls 102251->102253 102252->102303 102254 808051 102253->102254 102255 80805b 102254->102255 102256 80807e 102254->102256 102257 7f8af4 __close 58 API calls 102255->102257 102258 807cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102256->102258 102259 808060 102257->102259 102269 8080a0 102258->102269 102260 7f8b28 ___wstrgtold12_l 58 API calls 102259->102260 102262 80806a 102260->102262 102261 80811e GetFileType 102263 808129 GetLastError 102261->102263 102264 80816b 102261->102264 102267 7f8b28 ___wstrgtold12_l 58 API calls 102262->102267 102268 7f8b07 __dosmaperr 58 API calls 102263->102268 102273 7fd52a __set_osfhnd 59 API calls 102264->102273 102265 8080ec GetLastError 102266 7f8b07 __dosmaperr 58 API calls 102265->102266 102270 808111 102266->102270 102267->102247 102271 808150 CloseHandle 102268->102271 102269->102261 102269->102265 102272 807cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102269->102272 102276 7f8b28 ___wstrgtold12_l 58 API calls 102270->102276 102271->102270 102274 80815e 102271->102274 102275 8080e1 102272->102275 102279 808189 102273->102279 102277 7f8b28 ___wstrgtold12_l 58 API calls 102274->102277 102275->102261 102275->102265 102276->102303 102278 808163 102277->102278 102278->102270 102280 808344 102279->102280 102281 8018c1 __lseeki64_nolock 60 API calls 102279->102281 102299 80820a 102279->102299 102282 808517 CloseHandle 102280->102282 102280->102303 102283 8081f3 102281->102283 102284 807cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102282->102284 102286 7f8af4 __close 58 API calls 102283->102286 102283->102299 102285 80853e 102284->102285 102287 808546 GetLastError 102285->102287 102288 808572 102285->102288 102286->102299 102289 7f8b07 __dosmaperr 58 API calls 102287->102289 102288->102303 102291 808552 102289->102291 102290 80823c 102294 8097a2 __chsize_nolock 82 API calls 102290->102294 102290->102299 102295 7fd43d __free_osfhnd 59 API calls 102291->102295 102292 800add __close_nolock 61 API calls 102292->102299 102293 800e5b 70 API calls __read_nolock 102293->102299 102294->102290 102295->102288 102296 7fd886 __write 78 API calls 102296->102299 102297 8083c1 102298 800add __close_nolock 61 API calls 102297->102298 102300 8083c8 102298->102300 102299->102280 102299->102290 102299->102292 102299->102293 102299->102296 102299->102297 102301 8018c1 60 API calls __lseeki64_nolock 102299->102301 102302 7f8b28 ___wstrgtold12_l 58 API calls 102300->102302 102301->102299 102302->102303 102303->102233 102304->102224 102305->102229 102306->102229 102308 7d4b83 102307->102308 102309 7d4c3f LoadLibraryA 102307->102309 102308->102109 102308->102112 102309->102308 102310 7d4c50 GetProcAddress 102309->102310 102310->102308 102312 7d4ec0 102311->102312 102313 7d4ea3 FindResourceExW 102311->102313 102312->102118 102313->102312 102314 80d933 LoadResource 102313->102314 102314->102312 102315 80d948 SizeofResource 102314->102315 102315->102312 102316 80d95c LockResource 102315->102316 102316->102312 102318 7d4ef4 102317->102318 102321 80d9ab 102317->102321 102323 7f584d 102318->102323 102320 7d4f02 102320->102127 102322->102118 102326 7f5859 __close 102323->102326 102324 7f586b 102336 7f8b28 58 API calls __getptd_noexit 102324->102336 102326->102324 102327 7f5891 102326->102327 102338 7f6c11 102327->102338 102329 7f5870 102337 7f8db6 9 API calls ___wstrgtold12_l 102329->102337 102330 7f5897 102344 7f57be 83 API calls 5 library calls 102330->102344 102333 7f58a6 102345 7f58c8 LeaveCriticalSection LeaveCriticalSection _fseek 102333->102345 102335 7f587b __close 102335->102320 102336->102329 102337->102335 102339 7f6c43 EnterCriticalSection 102338->102339 102340 7f6c21 102338->102340 102342 7f6c39 102339->102342 102340->102339 102341 7f6c29 102340->102341 102343 7f9c0b __lock 58 API calls 102341->102343 102342->102330 102343->102342 102344->102333 102345->102335 102349 7f55fd 102346->102349 102348 7d4f2e 102348->102137 102350 7f5609 __close 102349->102350 102351 7f561f _memset 102350->102351 102352 7f564c 102350->102352 102353 7f5644 __close 102350->102353 102376 7f8b28 58 API calls __getptd_noexit 102351->102376 102354 7f6c11 __lock_file 59 API calls 102352->102354 102353->102348 102355 7f5652 102354->102355 102362 7f541d 102355->102362 102358 7f5639 102377 7f8db6 9 API calls ___wstrgtold12_l 102358->102377 102365 7f5438 _memset 102362->102365 102369 7f5453 102362->102369 102363 7f5443 102474 7f8b28 58 API calls __getptd_noexit 102363->102474 102365->102363 102365->102369 102373 7f5493 102365->102373 102366 7f5448 102475 7f8db6 9 API calls ___wstrgtold12_l 102366->102475 102378 7f5686 LeaveCriticalSection LeaveCriticalSection _fseek 102369->102378 102370 7f55a4 _memset 102477 7f8b28 58 API calls __getptd_noexit 102370->102477 102373->102369 102373->102370 102379 7f46e6 102373->102379 102386 800e5b 102373->102386 102454 800ba7 102373->102454 102476 800cc8 58 API calls 3 library calls 102373->102476 102376->102358 102377->102353 102378->102353 102380 7f4705 102379->102380 102381 7f46f0 102379->102381 102380->102373 102478 7f8b28 58 API calls __getptd_noexit 102381->102478 102383 7f46f5 102479 7f8db6 9 API calls ___wstrgtold12_l 102383->102479 102385 7f4700 102385->102373 102387 800e93 102386->102387 102388 800e7c 102386->102388 102389 8015cb 102387->102389 102394 800ecd 102387->102394 102489 7f8af4 58 API calls __getptd_noexit 102388->102489 102505 7f8af4 58 API calls __getptd_noexit 102389->102505 102391 800e81 102490 7f8b28 58 API calls __getptd_noexit 102391->102490 102396 800ed5 102394->102396 102403 800eec 102394->102403 102395 8015d0 102506 7f8b28 58 API calls __getptd_noexit 102395->102506 102491 7f8af4 58 API calls __getptd_noexit 102396->102491 102399 800ee1 102507 7f8db6 9 API calls ___wstrgtold12_l 102399->102507 102400 800e88 102400->102373 102401 800eda 102492 7f8b28 58 API calls __getptd_noexit 102401->102492 102402 800f01 102493 7f8af4 58 API calls __getptd_noexit 102402->102493 102403->102400 102403->102402 102406 800f1b 102403->102406 102408 800f39 102403->102408 102406->102402 102411 800f26 102406->102411 102494 7f881d 58 API calls __malloc_crt 102408->102494 102480 805c6b 102411->102480 102412 800f49 102414 800f51 102412->102414 102415 800f6c 102412->102415 102413 80103a 102416 8010b3 ReadFile 102413->102416 102422 801050 GetConsoleMode 102413->102422 102495 7f8b28 58 API calls __getptd_noexit 102414->102495 102497 8018c1 60 API calls 3 library calls 102415->102497 102419 801593 GetLastError 102416->102419 102420 8010d5 102416->102420 102423 8015a0 102419->102423 102424 801093 102419->102424 102420->102419 102429 8010a5 102420->102429 102421 800f56 102496 7f8af4 58 API calls __getptd_noexit 102421->102496 102426 8010b0 102422->102426 102427 801064 102422->102427 102503 7f8b28 58 API calls __getptd_noexit 102423->102503 102437 801099 102424->102437 102498 7f8b07 58 API calls 3 library calls 102424->102498 102426->102416 102427->102426 102430 80106a ReadConsoleW 102427->102430 102436 80110a 102429->102436 102429->102437 102440 801377 102429->102440 102430->102429 102432 80108d GetLastError 102430->102432 102431 8015a5 102504 7f8af4 58 API calls __getptd_noexit 102431->102504 102432->102424 102435 7f2d55 _free 58 API calls 102435->102400 102439 801176 ReadFile 102436->102439 102447 8011f7 102436->102447 102437->102400 102437->102435 102442 801197 GetLastError 102439->102442 102452 8011a1 102439->102452 102440->102437 102441 80147d ReadFile 102440->102441 102446 8014a0 GetLastError 102441->102446 102453 8014ae 102441->102453 102442->102452 102443 8012b4 102448 801264 MultiByteToWideChar 102443->102448 102501 8018c1 60 API calls 3 library calls 102443->102501 102444 8012a4 102500 7f8b28 58 API calls __getptd_noexit 102444->102500 102446->102453 102447->102437 102447->102443 102447->102444 102447->102448 102448->102432 102448->102437 102452->102436 102499 8018c1 60 API calls 3 library calls 102452->102499 102453->102440 102502 8018c1 60 API calls 3 library calls 102453->102502 102455 800bb2 102454->102455 102459 800bc7 102454->102459 102541 7f8b28 58 API calls __getptd_noexit 102455->102541 102457 800bb7 102542 7f8db6 9 API calls ___wstrgtold12_l 102457->102542 102460 800bfc 102459->102460 102466 800bc2 102459->102466 102543 805fe4 58 API calls __malloc_crt 102459->102543 102462 7f46e6 __flsbuf 58 API calls 102460->102462 102463 800c10 102462->102463 102508 800d47 102463->102508 102465 800c17 102465->102466 102467 7f46e6 __flsbuf 58 API calls 102465->102467 102466->102373 102468 800c3a 102467->102468 102468->102466 102469 7f46e6 __flsbuf 58 API calls 102468->102469 102470 800c46 102469->102470 102470->102466 102471 7f46e6 __flsbuf 58 API calls 102470->102471 102472 800c53 102471->102472 102473 7f46e6 __flsbuf 58 API calls 102472->102473 102473->102466 102474->102366 102475->102369 102476->102373 102477->102366 102478->102383 102479->102385 102481 805c83 102480->102481 102482 805c76 102480->102482 102484 805c8f 102481->102484 102485 7f8b28 ___wstrgtold12_l 58 API calls 102481->102485 102483 7f8b28 ___wstrgtold12_l 58 API calls 102482->102483 102487 805c7b 102483->102487 102484->102413 102486 805cb0 102485->102486 102488 7f8db6 ___wstrgtold12_l 9 API calls 102486->102488 102487->102413 102488->102487 102489->102391 102490->102400 102491->102401 102492->102399 102493->102401 102494->102412 102495->102421 102496->102400 102497->102411 102498->102437 102499->102452 102500->102437 102501->102448 102502->102453 102503->102431 102504->102437 102505->102395 102506->102399 102507->102400 102509 800d53 __close 102508->102509 102510 800d60 102509->102510 102511 800d77 102509->102511 102512 7f8af4 __close 58 API calls 102510->102512 102513 800e3b 102511->102513 102516 800d8b 102511->102516 102515 800d65 102512->102515 102514 7f8af4 __close 58 API calls 102513->102514 102517 800dae 102514->102517 102518 7f8b28 ___wstrgtold12_l 58 API calls 102515->102518 102519 800db6 102516->102519 102520 800da9 102516->102520 102526 7f8b28 ___wstrgtold12_l 58 API calls 102517->102526 102533 800d6c __close 102518->102533 102522 800dc3 102519->102522 102523 800dd8 102519->102523 102521 7f8af4 __close 58 API calls 102520->102521 102521->102517 102524 7f8af4 __close 58 API calls 102522->102524 102525 7fd206 ___lock_fhandle 59 API calls 102523->102525 102527 800dc8 102524->102527 102528 800dde 102525->102528 102529 800dd0 102526->102529 102530 7f8b28 ___wstrgtold12_l 58 API calls 102527->102530 102531 800df1 102528->102531 102532 800e04 102528->102532 102535 7f8db6 ___wstrgtold12_l 9 API calls 102529->102535 102530->102529 102534 800e5b __read_nolock 70 API calls 102531->102534 102536 7f8b28 ___wstrgtold12_l 58 API calls 102532->102536 102533->102465 102537 800dfd 102534->102537 102535->102533 102538 800e09 102536->102538 102540 800e33 __read LeaveCriticalSection 102537->102540 102539 7f8af4 __close 58 API calls 102538->102539 102539->102537 102540->102533 102541->102457 102542->102466 102543->102460 102547 7f520a GetSystemTimeAsFileTime 102544->102547 102546 838f6e 102546->102139 102548 7f5238 __aulldiv 102547->102548 102548->102546 102550 7f5c6c __close 102549->102550 102551 7f5c7e 102550->102551 102552 7f5c93 102550->102552 102563 7f8b28 58 API calls __getptd_noexit 102551->102563 102554 7f6c11 __lock_file 59 API calls 102552->102554 102555 7f5c99 102554->102555 102565 7f58d0 67 API calls 5 library calls 102555->102565 102556 7f5c83 102564 7f8db6 9 API calls ___wstrgtold12_l 102556->102564 102559 7f5ca4 102566 7f5cc4 LeaveCriticalSection LeaveCriticalSection _fseek 102559->102566 102561 7f5cb6 102562 7f5c8e __close 102561->102562 102562->102143 102563->102556 102564->102562 102565->102559 102566->102561 102567->102028 102568->102030 102569->102026 102570->102036 102572 7d9169 Mailbox 102571->102572 102573 80f19f 102572->102573 102578 7d9173 102572->102578 102574 7f0db6 Mailbox 59 API calls 102573->102574 102576 80f1ab 102574->102576 102575 7d917a 102575->102040 102578->102575 102579 7d9c90 59 API calls Mailbox 102578->102579 102579->102578 102580->102051 102581->102048 102587 839748 __tzset_nolock _wcscmp 102582->102587 102583 8395dc 102583->102057 102583->102085 102584 7d4f0b 74 API calls 102584->102587 102585 839109 GetSystemTimeAsFileTime 102585->102587 102586 7d4ee5 85 API calls 102586->102587 102587->102583 102587->102584 102587->102585 102587->102586 102589 838b11 102588->102589 102590 838b1f 102588->102590 102591 7f525b 115 API calls 102589->102591 102592 838b64 102590->102592 102593 7f525b 115 API calls 102590->102593 102603 838b28 102590->102603 102591->102590 102619 838d91 102592->102619 102595 838b49 102593->102595 102595->102592 102597 838b52 102595->102597 102596 838ba8 102598 838bcd 102596->102598 102599 838bac 102596->102599 102602 7f53a6 __fcloseall 83 API calls 102597->102602 102597->102603 102623 8389a9 102598->102623 102601 838bb9 102599->102601 102605 7f53a6 __fcloseall 83 API calls 102599->102605 102601->102603 102608 7f53a6 __fcloseall 83 API calls 102601->102608 102602->102603 102603->102086 102605->102601 102606 838bfb 102632 838c2b 102606->102632 102607 838bdb 102610 7f53a6 __fcloseall 83 API calls 102607->102610 102612 838be8 102607->102612 102608->102603 102610->102612 102612->102603 102613 7f53a6 __fcloseall 83 API calls 102612->102613 102613->102603 102616 838c16 102616->102603 102618 7f53a6 __fcloseall 83 API calls 102616->102618 102618->102603 102620 838db6 102619->102620 102622 838d9f __tzset_nolock _memmove 102619->102622 102621 7f55e2 __fread_nolock 74 API calls 102620->102621 102621->102622 102622->102596 102624 7f571c __malloc_crt 58 API calls 102623->102624 102625 8389b8 102624->102625 102626 7f571c __malloc_crt 58 API calls 102625->102626 102627 8389cc 102626->102627 102628 7f571c __malloc_crt 58 API calls 102627->102628 102629 8389e0 102628->102629 102630 838d0d 58 API calls 102629->102630 102631 8389f3 102629->102631 102630->102631 102631->102606 102631->102607 102636 838c40 102632->102636 102633 838cf8 102665 838f35 102633->102665 102634 838a05 74 API calls 102634->102636 102636->102633 102636->102634 102639 838c02 102636->102639 102661 838e12 102636->102661 102669 838aa1 74 API calls 102636->102669 102640 838d0d 102639->102640 102641 838d20 102640->102641 102642 838d1a 102640->102642 102644 838d31 102641->102644 102645 7f2d55 _free 58 API calls 102641->102645 102643 7f2d55 _free 58 API calls 102642->102643 102643->102641 102646 838c09 102644->102646 102647 7f2d55 _free 58 API calls 102644->102647 102645->102644 102646->102616 102648 7f53a6 102646->102648 102647->102646 102649 7f53b2 __close 102648->102649 102650 7f53c6 102649->102650 102651 7f53de 102649->102651 102718 7f8b28 58 API calls __getptd_noexit 102650->102718 102653 7f6c11 __lock_file 59 API calls 102651->102653 102657 7f53d6 __close 102651->102657 102656 7f53f0 102653->102656 102654 7f53cb 102719 7f8db6 9 API calls ___wstrgtold12_l 102654->102719 102702 7f533a 102656->102702 102657->102616 102662 838e21 102661->102662 102663 838e61 102661->102663 102662->102636 102663->102662 102670 838ee8 102663->102670 102666 838f42 102665->102666 102667 838f53 102665->102667 102668 7f4863 80 API calls 102666->102668 102667->102639 102668->102667 102669->102636 102671 838f14 102670->102671 102673 838f25 102670->102673 102674 7f4863 102671->102674 102673->102663 102675 7f486f __close 102674->102675 102676 7f488d 102675->102676 102677 7f48a5 102675->102677 102678 7f489d __close 102675->102678 102699 7f8b28 58 API calls __getptd_noexit 102676->102699 102680 7f6c11 __lock_file 59 API calls 102677->102680 102678->102673 102682 7f48ab 102680->102682 102681 7f4892 102700 7f8db6 9 API calls ___wstrgtold12_l 102681->102700 102687 7f470a 102682->102687 102689 7f4719 102687->102689 102694 7f4737 102687->102694 102688 7f4727 102690 7f8b28 ___wstrgtold12_l 58 API calls 102688->102690 102689->102688 102689->102694 102696 7f4751 _memmove 102689->102696 102691 7f472c 102690->102691 102692 7f8db6 ___wstrgtold12_l 9 API calls 102691->102692 102692->102694 102693 7fae1e __flsbuf 78 API calls 102693->102696 102701 7f48dd LeaveCriticalSection LeaveCriticalSection _fseek 102694->102701 102695 7f4a3d __flush 78 API calls 102695->102696 102696->102693 102696->102694 102696->102695 102697 7f46e6 __flsbuf 58 API calls 102696->102697 102698 7fd886 __write 78 API calls 102696->102698 102697->102696 102698->102696 102699->102681 102700->102678 102701->102678 102703 7f535d 102702->102703 102704 7f5349 102702->102704 102710 7f5359 102703->102710 102721 7f4a3d 102703->102721 102757 7f8b28 58 API calls __getptd_noexit 102704->102757 102706 7f534e 102758 7f8db6 9 API calls ___wstrgtold12_l 102706->102758 102720 7f5415 LeaveCriticalSection LeaveCriticalSection _fseek 102710->102720 102713 7f46e6 __flsbuf 58 API calls 102714 7f5377 102713->102714 102731 800a02 102714->102731 102716 7f537d 102716->102710 102717 7f2d55 _free 58 API calls 102716->102717 102717->102710 102718->102654 102719->102657 102720->102657 102722 7f4a50 102721->102722 102726 7f4a74 102721->102726 102723 7f46e6 __flsbuf 58 API calls 102722->102723 102722->102726 102724 7f4a6d 102723->102724 102759 7fd886 102724->102759 102727 800b77 102726->102727 102728 800b84 102727->102728 102730 7f5371 102727->102730 102729 7f2d55 _free 58 API calls 102728->102729 102728->102730 102729->102730 102730->102713 102732 800a0e __close 102731->102732 102733 800a32 102732->102733 102734 800a1b 102732->102734 102735 800abd 102733->102735 102737 800a42 102733->102737 102884 7f8af4 58 API calls __getptd_noexit 102734->102884 102889 7f8af4 58 API calls __getptd_noexit 102735->102889 102740 800a60 102737->102740 102741 800a6a 102737->102741 102739 800a20 102885 7f8b28 58 API calls __getptd_noexit 102739->102885 102886 7f8af4 58 API calls __getptd_noexit 102740->102886 102745 7fd206 ___lock_fhandle 59 API calls 102741->102745 102742 800a65 102890 7f8b28 58 API calls __getptd_noexit 102742->102890 102747 800a70 102745->102747 102749 800a83 102747->102749 102750 800a8e 102747->102750 102748 800ac9 102891 7f8db6 9 API calls ___wstrgtold12_l 102748->102891 102869 800add 102749->102869 102887 7f8b28 58 API calls __getptd_noexit 102750->102887 102753 800a27 __close 102753->102716 102755 800a89 102888 800ab5 LeaveCriticalSection __unlock_fhandle 102755->102888 102757->102706 102758->102710 102760 7fd892 __close 102759->102760 102761 7fd89f 102760->102761 102762 7fd8b6 102760->102762 102860 7f8af4 58 API calls __getptd_noexit 102761->102860 102764 7fd955 102762->102764 102767 7fd8ca 102762->102767 102866 7f8af4 58 API calls __getptd_noexit 102764->102866 102766 7fd8a4 102861 7f8b28 58 API calls __getptd_noexit 102766->102861 102770 7fd8e8 102767->102770 102771 7fd8f2 102767->102771 102768 7fd8ed 102867 7f8b28 58 API calls __getptd_noexit 102768->102867 102862 7f8af4 58 API calls __getptd_noexit 102770->102862 102787 7fd206 102771->102787 102773 7fd8ab __close 102773->102726 102776 7fd8f8 102778 7fd91e 102776->102778 102779 7fd90b 102776->102779 102777 7fd961 102868 7f8db6 9 API calls ___wstrgtold12_l 102777->102868 102863 7f8b28 58 API calls __getptd_noexit 102778->102863 102796 7fd975 102779->102796 102783 7fd917 102865 7fd94d LeaveCriticalSection __unlock_fhandle 102783->102865 102784 7fd923 102864 7f8af4 58 API calls __getptd_noexit 102784->102864 102789 7fd212 __close 102787->102789 102788 7fd261 EnterCriticalSection 102790 7fd287 __close 102788->102790 102789->102788 102791 7f9c0b __lock 58 API calls 102789->102791 102790->102776 102792 7fd237 102791->102792 102793 7fd24f 102792->102793 102795 7f9e2b __ioinit InitializeCriticalSectionAndSpinCount 102792->102795 102794 7fd28b ___lock_fhandle LeaveCriticalSection 102793->102794 102794->102788 102795->102793 102797 7fd982 __ftell_nolock 102796->102797 102798 7fd9c1 102797->102798 102799 7fd9e0 102797->102799 102828 7fd9b6 102797->102828 102801 7f8af4 __close 58 API calls 102798->102801 102802 7fda38 102799->102802 102803 7fda1c 102799->102803 102800 7fc5f6 ___wstrgtold12_l 6 API calls 102804 7fe1d6 102800->102804 102805 7fd9c6 102801->102805 102807 7fda51 102802->102807 102811 8018c1 __lseeki64_nolock 60 API calls 102802->102811 102806 7f8af4 __close 58 API calls 102803->102806 102804->102783 102808 7f8b28 ___wstrgtold12_l 58 API calls 102805->102808 102810 7fda21 102806->102810 102809 805c6b __flsbuf 58 API calls 102807->102809 102812 7fd9cd 102808->102812 102814 7fda5f 102809->102814 102815 7f8b28 ___wstrgtold12_l 58 API calls 102810->102815 102811->102807 102813 7f8db6 ___wstrgtold12_l 9 API calls 102812->102813 102813->102828 102816 7fddb8 102814->102816 102821 7f99ac __setmbcp 58 API calls 102814->102821 102817 7fda28 102815->102817 102818 7fe14b WriteFile 102816->102818 102819 7fddd6 102816->102819 102820 7f8db6 ___wstrgtold12_l 9 API calls 102817->102820 102822 7fddab GetLastError 102818->102822 102829 7fdd78 102818->102829 102823 7fdefa 102819->102823 102832 7fddec 102819->102832 102820->102828 102824 7fda8b GetConsoleMode 102821->102824 102822->102829 102835 7fdfef 102823->102835 102837 7fdf05 102823->102837 102824->102816 102826 7fdaca 102824->102826 102825 7fe184 102827 7f8b28 ___wstrgtold12_l 58 API calls 102825->102827 102825->102828 102826->102816 102830 7fdada GetConsoleCP 102826->102830 102833 7fe1b2 102827->102833 102828->102800 102829->102825 102829->102828 102834 7fded8 102829->102834 102830->102825 102854 7fdb09 102830->102854 102831 7fde5b WriteFile 102831->102822 102836 7fde98 102831->102836 102832->102825 102832->102831 102840 7f8af4 __close 58 API calls 102833->102840 102841 7fe17b 102834->102841 102842 7fdee3 102834->102842 102835->102825 102843 7fe064 WideCharToMultiByte 102835->102843 102836->102832 102838 7fdebc 102836->102838 102837->102825 102839 7fdf6a WriteFile 102837->102839 102838->102829 102839->102822 102844 7fdfb9 102839->102844 102840->102828 102846 7f8b07 __dosmaperr 58 API calls 102841->102846 102845 7f8b28 ___wstrgtold12_l 58 API calls 102842->102845 102843->102822 102852 7fe0ab 102843->102852 102844->102829 102844->102837 102844->102838 102848 7fdee8 102845->102848 102846->102828 102847 7fe0b3 WriteFile 102850 7fe106 GetLastError 102847->102850 102847->102852 102851 7f8af4 __close 58 API calls 102848->102851 102849 7f35f5 __write_nolock 58 API calls 102849->102854 102850->102852 102851->102828 102852->102829 102852->102835 102852->102838 102852->102847 102853 7fdc5f 102853->102822 102853->102829 102853->102854 102858 807a5e WriteConsoleW CreateFileW __putwch_nolock 102853->102858 102859 7fdc87 WriteFile 102853->102859 102854->102829 102854->102849 102854->102853 102855 8062ba 60 API calls __write_nolock 102854->102855 102856 7fdbf2 WideCharToMultiByte 102854->102856 102855->102854 102856->102829 102857 7fdc2d WriteFile 102856->102857 102857->102822 102857->102853 102858->102853 102859->102822 102859->102853 102860->102766 102861->102773 102862->102768 102863->102784 102864->102783 102865->102773 102866->102768 102867->102777 102868->102773 102892 7fd4c3 102869->102892 102871 800b41 102905 7fd43d 59 API calls 2 library calls 102871->102905 102873 800aeb 102873->102871 102874 800b1f 102873->102874 102876 7fd4c3 __close_nolock 58 API calls 102873->102876 102874->102871 102877 7fd4c3 __close_nolock 58 API calls 102874->102877 102875 800b49 102878 800b6b 102875->102878 102906 7f8b07 58 API calls 3 library calls 102875->102906 102879 800b16 102876->102879 102880 800b2b CloseHandle 102877->102880 102878->102755 102882 7fd4c3 __close_nolock 58 API calls 102879->102882 102880->102871 102883 800b37 GetLastError 102880->102883 102882->102874 102883->102871 102884->102739 102885->102753 102886->102742 102887->102755 102888->102753 102889->102742 102890->102748 102891->102753 102893 7fd4ce 102892->102893 102894 7fd4e3 102892->102894 102895 7f8af4 __close 58 API calls 102893->102895 102897 7f8af4 __close 58 API calls 102894->102897 102899 7fd508 102894->102899 102896 7fd4d3 102895->102896 102898 7f8b28 ___wstrgtold12_l 58 API calls 102896->102898 102900 7fd512 102897->102900 102901 7fd4db 102898->102901 102899->102873 102902 7f8b28 ___wstrgtold12_l 58 API calls 102900->102902 102901->102873 102903 7fd51a 102902->102903 102904 7f8db6 ___wstrgtold12_l 9 API calls 102903->102904 102904->102901 102905->102875 102906->102878 102908 801940 __ftell_nolock 102907->102908 102909 7f079e GetLongPathNameW 102908->102909 102910 7d7bcc 59 API calls 102909->102910 102911 7d72bd 102910->102911 102912 7d700b 102911->102912 102913 7d7667 59 API calls 102912->102913 102914 7d701d 102913->102914 102915 7d4750 60 API calls 102914->102915 102916 7d7028 102915->102916 102917 80e885 102916->102917 102918 7d7033 102916->102918 102923 80e89f 102917->102923 102965 7d7908 61 API calls 102917->102965 102919 7d3f74 59 API calls 102918->102919 102921 7d703f 102919->102921 102959 7d34c2 102921->102959 102924 7d7052 Mailbox 102924->101848 102926 7d4ddd 136 API calls 102925->102926 102927 7d688f 102926->102927 102928 80e031 102927->102928 102929 7d4ddd 136 API calls 102927->102929 102930 83955b 122 API calls 102928->102930 102932 7d68a3 102929->102932 102931 80e046 102930->102931 102933 80e067 102931->102933 102934 80e04a 102931->102934 102932->102928 102935 7d68ab 102932->102935 102937 7f0db6 Mailbox 59 API calls 102933->102937 102936 7d4e4a 84 API calls 102934->102936 102938 80e052 102935->102938 102939 7d68b7 102935->102939 102936->102938 102958 80e0ac Mailbox 102937->102958 103073 8342f8 90 API calls _wprintf 102938->103073 102966 7d6a8c 102939->102966 102942 80e060 102942->102933 102944 80e260 102945 7f2d55 _free 58 API calls 102944->102945 102946 80e268 102945->102946 102947 7d4e4a 84 API calls 102946->102947 102952 80e271 102947->102952 102951 7f2d55 _free 58 API calls 102951->102952 102952->102951 102954 7d4e4a 84 API calls 102952->102954 103077 82f7a1 89 API calls 4 library calls 102952->103077 102954->102952 102955 7d7de1 59 API calls 102955->102958 102958->102944 102958->102952 102958->102955 103059 7d750f 102958->103059 103067 7d735d 102958->103067 103074 82f73d 59 API calls 2 library calls 102958->103074 103075 82f65e 61 API calls 2 library calls 102958->103075 103076 83737f 59 API calls Mailbox 102958->103076 102960 7d34d4 102959->102960 102964 7d34f3 _memmove 102959->102964 102962 7f0db6 Mailbox 59 API calls 102960->102962 102961 7f0db6 Mailbox 59 API calls 102963 7d350a 102961->102963 102962->102964 102963->102924 102964->102961 102965->102917 102967 7d6ab5 102966->102967 102968 80e41e 102966->102968 103083 7d57a6 60 API calls Mailbox 102967->103083 103169 82f7a1 89 API calls 4 library calls 102968->103169 102971 80e431 103170 82f7a1 89 API calls 4 library calls 102971->103170 102972 7d6ad7 103084 7d57f6 102972->103084 102975 7d6af4 102977 7d7667 59 API calls 102975->102977 102979 7d6b00 102977->102979 102978 80e44d 103010 7d6b61 102978->103010 103097 7f0957 60 API calls __ftell_nolock 102979->103097 102981 7d6b0c 102985 7d7667 59 API calls 102981->102985 102982 80e460 102986 7d5c6f CloseHandle 102982->102986 102983 7d6b6f 102984 7d7667 59 API calls 102983->102984 102987 7d6b78 102984->102987 102988 7d6b18 102985->102988 102989 80e46c 102986->102989 102990 7d7667 59 API calls 102987->102990 102991 7d4750 60 API calls 102988->102991 102992 7d4ddd 136 API calls 102989->102992 102994 7d6b81 102990->102994 102995 7d6b26 102991->102995 102993 80e488 102992->102993 102996 80e4b1 102993->102996 102999 83955b 122 API calls 102993->102999 103107 7d459b 102994->103107 103098 7d5850 ReadFile SetFilePointerEx 102995->103098 103171 82f7a1 89 API calls 4 library calls 102996->103171 103003 80e4a4 102999->103003 103000 7d6b98 103004 7d7b2e 59 API calls 103000->103004 103002 7d6b52 103099 7d5aee 103002->103099 103007 80e4ac 103003->103007 103008 80e4cd 103003->103008 103009 7d6ba9 SetCurrentDirectoryW 103004->103009 103005 80e4c8 103037 7d6d0c Mailbox 103005->103037 103011 7d4e4a 84 API calls 103007->103011 103012 7d4e4a 84 API calls 103008->103012 103015 7d6bbc Mailbox 103009->103015 103010->102982 103010->102983 103011->102996 103013 80e4d2 103012->103013 103014 7f0db6 Mailbox 59 API calls 103013->103014 103020 80e506 103014->103020 103017 7f0db6 Mailbox 59 API calls 103015->103017 103019 7d6bcf 103017->103019 103018 7d3bbb 103018->101715 103018->101738 103022 7d750f 59 API calls 103020->103022 103056 80e54f Mailbox 103022->103056 103025 80e740 103176 8372df 59 API calls Mailbox 103025->103176 103030 80e762 103177 84fbce 59 API calls 2 library calls 103030->103177 103033 80e76f 103035 7f2d55 _free 58 API calls 103033->103035 103035->103037 103078 7d57d4 103037->103078 103040 7d750f 59 API calls 103040->103056 103049 7d7de1 59 API calls 103049->103056 103052 80e792 103178 82f7a1 89 API calls 4 library calls 103052->103178 103055 80e7ab 103057 7f2d55 _free 58 API calls 103055->103057 103056->103025 103056->103040 103056->103049 103056->103052 103172 82f73d 59 API calls 2 library calls 103056->103172 103173 82f65e 61 API calls 2 library calls 103056->103173 103174 83737f 59 API calls Mailbox 103056->103174 103175 7d7213 59 API calls Mailbox 103056->103175 103058 80e7be 103057->103058 103058->103037 103060 7d75af 103059->103060 103065 7d7522 _memmove 103059->103065 103062 7f0db6 Mailbox 59 API calls 103060->103062 103061 7f0db6 Mailbox 59 API calls 103063 7d7529 103061->103063 103062->103065 103064 7f0db6 Mailbox 59 API calls 103063->103064 103066 7d7552 103063->103066 103064->103066 103065->103061 103066->102958 103068 7d7370 103067->103068 103071 7d741e 103067->103071 103070 7f0db6 Mailbox 59 API calls 103068->103070 103072 7d73a2 103068->103072 103069 7f0db6 59 API calls Mailbox 103069->103072 103070->103072 103071->102958 103072->103069 103072->103071 103073->102942 103074->102958 103075->102958 103076->102958 103077->102952 103079 7d5c6f CloseHandle 103078->103079 103080 7d57dc Mailbox 103079->103080 103081 7d5c6f CloseHandle 103080->103081 103082 7d57eb 103081->103082 103082->103018 103083->102972 103085 7d5c6f CloseHandle 103084->103085 103086 7d5802 103085->103086 103181 7d5c99 103086->103181 103088 7d5844 103088->102971 103088->102975 103089 7d5821 103089->103088 103189 7d5610 103089->103189 103091 7d5833 103206 7d527b SetFilePointerEx SetFilePointerEx 103091->103206 103093 7d583a 103093->103088 103094 80dc07 103093->103094 103207 83345a SetFilePointerEx SetFilePointerEx WriteFile 103094->103207 103096 80dc37 103096->103088 103097->102981 103098->103002 103106 7d5b08 103099->103106 103100 7d5b8f SetFilePointerEx 103213 7d5c4e SetFilePointerEx 103100->103213 103101 80dd28 103214 7d5c4e SetFilePointerEx 103101->103214 103104 7d5b63 103104->103010 103105 80dd42 103106->103100 103106->103101 103106->103104 103108 7d7667 59 API calls 103107->103108 103109 7d45b1 103108->103109 103110 7d7667 59 API calls 103109->103110 103111 7d45b9 103110->103111 103112 7d7667 59 API calls 103111->103112 103113 7d45c1 103112->103113 103114 7d7667 59 API calls 103113->103114 103115 7d45c9 103114->103115 103116 7d45fd 103115->103116 103117 80d4d2 103115->103117 103118 7d784b 59 API calls 103116->103118 103119 7d8047 59 API calls 103117->103119 103120 7d460b 103118->103120 103121 80d4db 103119->103121 103122 7d7d2c 59 API calls 103120->103122 103123 7d7d8c 59 API calls 103121->103123 103124 7d4615 103122->103124 103126 7d4640 103123->103126 103125 7d784b 59 API calls 103124->103125 103124->103126 103129 7d4636 103125->103129 103127 7d4680 103126->103127 103130 7d465f 103126->103130 103140 80d4fb 103126->103140 103215 7d784b 103127->103215 103133 7d7d2c 59 API calls 103129->103133 103131 7d79f2 59 API calls 103130->103131 103135 7d4669 103131->103135 103132 7d4691 103136 7d46a3 103132->103136 103138 7d8047 59 API calls 103132->103138 103133->103126 103134 80d5cb 103137 7d7bcc 59 API calls 103134->103137 103135->103127 103141 7d784b 59 API calls 103135->103141 103139 7d46b3 103136->103139 103142 7d8047 59 API calls 103136->103142 103148 80d588 103137->103148 103138->103136 103144 7d46ba 103139->103144 103145 7d8047 59 API calls 103139->103145 103140->103134 103143 80d5b4 103140->103143 103155 80d532 103140->103155 103141->103127 103142->103139 103143->103134 103150 80d59f 103143->103150 103146 7d46c1 Mailbox 103144->103146 103147 7d8047 59 API calls 103144->103147 103145->103144 103146->103000 103147->103146 103148->103127 103153 7d79f2 59 API calls 103148->103153 103228 7d7924 59 API calls 2 library calls 103148->103228 103149 80d590 103151 7d7bcc 59 API calls 103149->103151 103152 7d7bcc 59 API calls 103150->103152 103151->103148 103152->103148 103153->103148 103155->103149 103156 80d57b 103155->103156 103157 7d7bcc 59 API calls 103156->103157 103157->103148 103169->102971 103170->102978 103171->103005 103172->103056 103173->103056 103174->103056 103175->103056 103176->103030 103177->103033 103178->103055 103182 80dd58 103181->103182 103183 7d5cb2 CreateFileW 103181->103183 103184 7d5cd4 103182->103184 103185 80dd5e CreateFileW 103182->103185 103183->103184 103184->103089 103185->103184 103186 80dd84 103185->103186 103187 7d5aee 2 API calls 103186->103187 103188 80dd8f 103187->103188 103188->103184 103190 80dba5 103189->103190 103191 7d562b 103189->103191 103205 7d56ba 103190->103205 103208 7d5cdf 103190->103208 103192 7d5aee 2 API calls 103191->103192 103191->103205 103193 7d564d 103192->103193 103195 7d522e 59 API calls 103193->103195 103196 7d5657 103195->103196 103196->103190 103197 7d5664 103196->103197 103198 7f0db6 Mailbox 59 API calls 103197->103198 103199 7d566f 103198->103199 103200 7d522e 59 API calls 103199->103200 103201 7d567a 103200->103201 103202 7d5bc0 2 API calls 103201->103202 103203 7d56a7 103202->103203 103204 7d5aee 2 API calls 103203->103204 103204->103205 103205->103091 103206->103093 103207->103096 103209 7d5aee 2 API calls 103208->103209 103210 7d5d00 103209->103210 103211 7d5aee 2 API calls 103210->103211 103212 7d5d14 103211->103212 103212->103205 103213->103104 103214->103105 103216 7d785a 103215->103216 103217 7d78b7 103215->103217 103216->103217 103219 7d7865 103216->103219 103218 7d7d2c 59 API calls 103217->103218 103224 7d7888 _memmove 103218->103224 103220 80eb09 103219->103220 103221 7d7880 103219->103221 103222 7d8029 59 API calls 103220->103222 103229 7d7f27 59 API calls Mailbox 103221->103229 103225 80eb13 103222->103225 103224->103132 103226 7f0db6 Mailbox 59 API calls 103225->103226 103227 80eb33 103226->103227 103228->103148 103229->103224 103231 7d6ea9 103230->103231 103232 7d6d95 103230->103232 103231->101854 103232->103231 103233 7f0db6 Mailbox 59 API calls 103232->103233 103235 7d6dbc 103233->103235 103234 7f0db6 Mailbox 59 API calls 103240 7d6e31 103234->103240 103235->103234 103237 7d735d 59 API calls 103237->103240 103239 7d750f 59 API calls 103239->103240 103240->103231 103240->103237 103240->103239 103243 7d6240 103240->103243 103268 826553 59 API calls Mailbox 103240->103268 103241->101857 103242->101859 103269 7d7a16 103243->103269 103245 7d646a 103246 7d750f 59 API calls 103245->103246 103250 80dff6 103278 82f8aa 91 API calls 4 library calls 103250->103278 103251 7d7d8c 59 API calls 103261 7d6265 103251->103261 103253 7d6799 _memmove 103279 82f8aa 91 API calls 4 library calls 103253->103279 103255 7d750f 59 API calls 103255->103261 103260 80df92 103262 7d8029 59 API calls 103260->103262 103261->103245 103261->103250 103261->103251 103261->103253 103261->103255 103261->103260 103265 7d7e4f 59 API calls 103261->103265 103274 7d5f6c 60 API calls 103261->103274 103275 7d5d41 59 API calls Mailbox 103261->103275 103276 7d5e72 60 API calls 103261->103276 103277 7d7924 59 API calls 2 library calls 103261->103277 103266 7d643b CharUpperBuffW 103265->103266 103266->103261 103268->103240 103270 7f0db6 Mailbox 59 API calls 103269->103270 103271 7d7a3b 103270->103271 103272 7d8029 59 API calls 103271->103272 103273 7d7a4a 103272->103273 103273->103261 103274->103261 103275->103261 103276->103261 103277->103261 103280->101872 103281->101873 103762 11b4110 103776 11b1d60 103762->103776 103764 11b41df 103779 11b4000 103764->103779 103782 11b5210 GetPEB 103776->103782 103778 11b23eb 103778->103764 103780 11b4009 Sleep 103779->103780 103781 11b4017 103780->103781 103783 11b523a 103782->103783 103783->103778 103784 7d1066 103789 7df76f 103784->103789 103786 7d106c 103787 7f2d40 __cinit 67 API calls 103786->103787 103788 7d1076 103787->103788 103790 7df790 103789->103790 103822 7eff03 103790->103822 103794 7df7d7 103795 7d7667 59 API calls 103794->103795 103796 7df7e1 103795->103796 103797 7d7667 59 API calls 103796->103797 103798 7df7eb 103797->103798 103799 7d7667 59 API calls 103798->103799 103800 7df7f5 103799->103800 103801 7d7667 59 API calls 103800->103801 103802 7df833 103801->103802 103803 7d7667 59 API calls 103802->103803 103804 7df8fe 103803->103804 103832 7e5f87 103804->103832 103808 7df930 103809 7d7667 59 API calls 103808->103809 103810 7df93a 103809->103810 103860 7efd9e 103810->103860 103812 7df981 103813 7df991 GetStdHandle 103812->103813 103814 7df9dd 103813->103814 103815 8145ab 103813->103815 103816 7df9e5 OleInitialize 103814->103816 103815->103814 103817 8145b4 103815->103817 103816->103786 103867 836b38 64 API calls Mailbox 103817->103867 103819 8145bb 103868 837207 CreateThread 103819->103868 103821 8145c7 CloseHandle 103821->103816 103869 7effdc 103822->103869 103825 7effdc 59 API calls 103826 7eff45 103825->103826 103827 7d7667 59 API calls 103826->103827 103828 7eff51 103827->103828 103829 7d7bcc 59 API calls 103828->103829 103830 7df796 103829->103830 103831 7f0162 6 API calls 103830->103831 103831->103794 103833 7d7667 59 API calls 103832->103833 103834 7e5f97 103833->103834 103835 7d7667 59 API calls 103834->103835 103836 7e5f9f 103835->103836 103876 7e5a9d 103836->103876 103839 7e5a9d 59 API calls 103840 7e5faf 103839->103840 103841 7d7667 59 API calls 103840->103841 103842 7e5fba 103841->103842 103843 7f0db6 Mailbox 59 API calls 103842->103843 103844 7df908 103843->103844 103845 7e60f9 103844->103845 103846 7e6107 103845->103846 103847 7d7667 59 API calls 103846->103847 103848 7e6112 103847->103848 103849 7d7667 59 API calls 103848->103849 103850 7e611d 103849->103850 103851 7d7667 59 API calls 103850->103851 103852 7e6128 103851->103852 103853 7d7667 59 API calls 103852->103853 103854 7e6133 103853->103854 103855 7e5a9d 59 API calls 103854->103855 103856 7e613e 103855->103856 103857 7f0db6 Mailbox 59 API calls 103856->103857 103858 7e6145 RegisterWindowMessageW 103857->103858 103858->103808 103861 7efdae 103860->103861 103862 82576f 103860->103862 103863 7f0db6 Mailbox 59 API calls 103861->103863 103879 839ae7 60 API calls 103862->103879 103866 7efdb6 103863->103866 103865 82577a 103866->103812 103867->103819 103868->103821 103880 8371ed 65 API calls 103868->103880 103870 7d7667 59 API calls 103869->103870 103871 7effe7 103870->103871 103872 7d7667 59 API calls 103871->103872 103873 7effef 103872->103873 103874 7d7667 59 API calls 103873->103874 103875 7eff3b 103874->103875 103875->103825 103877 7d7667 59 API calls 103876->103877 103878 7e5aa5 103877->103878 103878->103839 103879->103865 103881 7d1016 103886 7d4974 103881->103886 103884 7f2d40 __cinit 67 API calls 103885 7d1025 103884->103885 103887 7f0db6 Mailbox 59 API calls 103886->103887 103888 7d497c 103887->103888 103890 7d101b 103888->103890 103893 7d4936 103888->103893 103890->103884 103894 7d493f 103893->103894 103895 7d4951 103893->103895 103896 7f2d40 __cinit 67 API calls 103894->103896 103897 7d49a0 103895->103897 103896->103895 103898 7d7667 59 API calls 103897->103898 103899 7d49b8 GetVersionExW 103898->103899 103900 7d7bcc 59 API calls 103899->103900 103901 7d49fb 103900->103901 103902 7d7d2c 59 API calls 103901->103902 103905 7d4a28 103901->103905 103903 7d4a1c 103902->103903 103904 7d7726 59 API calls 103903->103904 103904->103905 103906 7d4a93 GetCurrentProcess IsWow64Process 103905->103906 103907 80d864 103905->103907 103908 7d4aac 103906->103908 103909 7d4b2b GetSystemInfo 103908->103909 103910 7d4ac2 103908->103910 103911 7d4af8 103909->103911 103921 7d4b37 103910->103921 103911->103890 103914 7d4b1f GetSystemInfo 103916 7d4ae9 103914->103916 103915 7d4ad4 103917 7d4b37 2 API calls 103915->103917 103916->103911 103919 7d4aef FreeLibrary 103916->103919 103918 7d4adc GetNativeSystemInfo 103917->103918 103918->103916 103919->103911 103922 7d4ad0 103921->103922 103923 7d4b40 LoadLibraryA 103921->103923 103922->103914 103922->103915 103923->103922 103924 7d4b51 GetProcAddress 103923->103924 103924->103922 103925 80fdfc 103960 7dab30 Mailbox _memmove 103925->103960 103927 82617e Mailbox 59 API calls 103952 7da057 103927->103952 103929 7f0db6 59 API calls Mailbox 103929->103960 103932 810055 104113 839e4a 89 API calls 4 library calls 103932->104113 103935 7db475 103942 7d8047 59 API calls 103935->103942 103937 7f0db6 59 API calls Mailbox 103949 7d9f37 Mailbox 103937->103949 103938 810064 103939 7db47a 103939->103932 103953 8109e5 103939->103953 103942->103952 103943 7d7667 59 API calls 103943->103949 103944 7d8047 59 API calls 103944->103949 103946 826e8f 59 API calls 103946->103949 103947 7f2d40 67 API calls __cinit 103947->103949 103948 7d7de1 59 API calls 103948->103960 103949->103932 103949->103935 103949->103937 103949->103939 103949->103943 103949->103944 103949->103946 103949->103947 103950 8109d6 103949->103950 103949->103952 103954 7da55a 103949->103954 104106 7dc8c0 341 API calls 2 library calls 103949->104106 104107 7db900 60 API calls Mailbox 103949->104107 104118 839e4a 89 API calls 4 library calls 103950->104118 104119 839e4a 89 API calls 4 library calls 103953->104119 104117 839e4a 89 API calls 4 library calls 103954->104117 103955 84bc6b 341 API calls 103955->103960 103957 7db2b6 104111 7df6a3 341 API calls 103957->104111 103959 7d9ea0 341 API calls 103959->103960 103960->103929 103960->103948 103960->103949 103960->103952 103960->103955 103960->103957 103960->103959 103961 81086a 103960->103961 103963 810878 103960->103963 103965 81085c 103960->103965 103966 7db21c 103960->103966 103970 7db525 103960->103970 103971 826e8f 59 API calls 103960->103971 103975 83d07b 103960->103975 104022 84df23 103960->104022 104025 7e1fc3 103960->104025 104065 84c2e0 103960->104065 104097 837956 103960->104097 104103 82617e 103960->104103 104108 7d9c90 59 API calls Mailbox 103960->104108 104112 84c193 85 API calls 2 library calls 103960->104112 104115 7d9c90 59 API calls Mailbox 103961->104115 104116 839e4a 89 API calls 4 library calls 103963->104116 103965->103927 103965->103952 104109 7d9d3c 60 API calls Mailbox 103966->104109 103968 7db22d 104110 7d9d3c 60 API calls Mailbox 103968->104110 104114 839e4a 89 API calls 4 library calls 103970->104114 103971->103960 103976 83d09a 103975->103976 103978 83d0a5 103975->103978 104120 7d9b3c 59 API calls 103976->104120 103981 7d7667 59 API calls 103978->103981 104020 83d17f Mailbox 103978->104020 103979 7f0db6 Mailbox 59 API calls 103980 83d1c8 103979->103980 103982 83d1d4 103980->103982 104123 7d57a6 60 API calls Mailbox 103980->104123 103983 83d0c9 103981->103983 103987 7d9837 84 API calls 103982->103987 103984 7d7667 59 API calls 103983->103984 103986 83d0d2 103984->103986 103989 7d9837 84 API calls 103986->103989 103988 83d1ec 103987->103988 103990 7d57f6 67 API calls 103988->103990 103991 83d0de 103989->103991 103992 83d1fb 103990->103992 103993 7d459b 59 API calls 103991->103993 103994 83d233 103992->103994 103995 83d1ff GetLastError 103992->103995 103996 83d0f3 103993->103996 103999 83d295 103994->103999 104000 83d25e 103994->104000 103997 83d218 103995->103997 103998 7d7b2e 59 API calls 103996->103998 104017 83d188 Mailbox 103997->104017 104124 7d58ba CloseHandle 103997->104124 104001 83d126 103998->104001 104004 7f0db6 Mailbox 59 API calls 103999->104004 104002 7f0db6 Mailbox 59 API calls 104000->104002 104003 83d178 104001->104003 104008 833c37 3 API calls 104001->104008 104005 83d263 104002->104005 104122 7d9b3c 59 API calls 104003->104122 104009 83d29a 104004->104009 104010 83d274 104005->104010 104012 7d7667 59 API calls 104005->104012 104011 83d136 104008->104011 104014 7d7667 59 API calls 104009->104014 104009->104017 104125 84fbce 59 API calls 2 library calls 104010->104125 104011->104003 104013 83d13a 104011->104013 104012->104010 104016 7d7de1 59 API calls 104013->104016 104014->104017 104018 83d147 104016->104018 104017->103960 104121 833a2a 63 API calls Mailbox 104018->104121 104020->103979 104020->104017 104021 83d150 Mailbox 104021->104003 104023 84cadd 130 API calls 104022->104023 104024 84df33 104023->104024 104024->103960 104026 7d9a98 59 API calls 104025->104026 104027 7e1fdb 104026->104027 104029 7f0db6 Mailbox 59 API calls 104027->104029 104030 816585 104027->104030 104031 7e1ff4 104029->104031 104035 7e2029 104030->104035 104145 83f574 59 API calls 104030->104145 104033 7e2004 104031->104033 104141 7d57a6 60 API calls Mailbox 104031->104141 104034 7d9837 84 API calls 104033->104034 104036 7e2012 104034->104036 104041 7e2036 104035->104041 104146 7d9b3c 59 API calls 104035->104146 104039 7d57f6 67 API calls 104036->104039 104038 8165cd 104040 8165d5 104038->104040 104038->104041 104042 7e2021 104039->104042 104147 7d9b3c 59 API calls 104040->104147 104044 7d5cdf 2 API calls 104041->104044 104042->104030 104042->104035 104144 7d58ba CloseHandle 104042->104144 104046 7e203d 104044->104046 104047 8165e7 104046->104047 104048 7e2057 104046->104048 104050 7f0db6 Mailbox 59 API calls 104047->104050 104049 7d7667 59 API calls 104048->104049 104051 7e205f 104049->104051 104052 8165ed 104050->104052 104126 7d5572 104051->104126 104054 816601 104052->104054 104148 7d5850 ReadFile SetFilePointerEx 104052->104148 104059 816605 _memmove 104054->104059 104149 8376c4 59 API calls 2 library calls 104054->104149 104055 7e206e 104055->104059 104142 7d9a3c 59 API calls Mailbox 104055->104142 104060 7e2082 Mailbox 104061 7e20bc 104060->104061 104062 7d5c6f CloseHandle 104060->104062 104061->103960 104063 7e20b0 104062->104063 104063->104061 104143 7d58ba CloseHandle 104063->104143 104066 7d7667 59 API calls 104065->104066 104067 84c2f4 104066->104067 104068 7d7667 59 API calls 104067->104068 104069 84c2fc 104068->104069 104070 7d7667 59 API calls 104069->104070 104071 84c304 104070->104071 104072 7d9837 84 API calls 104071->104072 104073 84c312 104072->104073 104074 7d7bcc 59 API calls 104073->104074 104076 84c4e2 104073->104076 104078 84c528 Mailbox 104073->104078 104079 7d7924 59 API calls 104073->104079 104080 84c4fd 104073->104080 104081 7d8047 59 API calls 104073->104081 104084 7d7e4f 59 API calls 104073->104084 104088 84c4fb 104073->104088 104090 7d7e4f 59 API calls 104073->104090 104094 7d9837 84 API calls 104073->104094 104095 7d7cab 59 API calls 104073->104095 104096 7d7b2e 59 API calls 104073->104096 104074->104073 104077 7d7cab 59 API calls 104076->104077 104082 84c4ef 104077->104082 104078->103960 104079->104073 104083 7d7cab 59 API calls 104080->104083 104081->104073 104085 7d7b2e 59 API calls 104082->104085 104086 84c50c 104083->104086 104087 84c3a9 CharUpperBuffW 104084->104087 104085->104088 104089 7d7b2e 59 API calls 104086->104089 104153 7d843a 68 API calls 104087->104153 104088->104078 104155 7d9a3c 59 API calls Mailbox 104088->104155 104089->104088 104092 84c469 CharUpperBuffW 104090->104092 104154 7dc5a7 69 API calls 2 library calls 104092->104154 104094->104073 104095->104073 104096->104073 104098 837962 104097->104098 104099 7f0db6 Mailbox 59 API calls 104098->104099 104100 837970 104099->104100 104101 7d7667 59 API calls 104100->104101 104102 83797e 104100->104102 104101->104102 104102->103960 104156 8260c0 104103->104156 104105 82618c 104105->103960 104106->103949 104107->103949 104108->103960 104109->103968 104110->103957 104111->103970 104112->103960 104113->103938 104114->103965 104115->103965 104116->103965 104117->103952 104118->103953 104119->103952 104120->103978 104121->104021 104122->104020 104123->103982 104124->104017 104125->104017 104127 7d557d 104126->104127 104128 7d55a2 104126->104128 104127->104128 104133 7d558c 104127->104133 104129 7d7d8c 59 API calls 104128->104129 104132 83325e 104129->104132 104130 83328d 104130->104055 104132->104130 104150 8331fa ReadFile SetFilePointerEx 104132->104150 104151 7d7924 59 API calls 2 library calls 104132->104151 104134 7d5ab8 59 API calls 104133->104134 104136 83337e 104134->104136 104137 7d54d2 61 API calls 104136->104137 104138 83338c 104137->104138 104140 83339c Mailbox 104138->104140 104152 7d77da 61 API calls Mailbox 104138->104152 104140->104055 104141->104033 104142->104060 104143->104061 104144->104030 104145->104030 104146->104038 104147->104046 104148->104054 104149->104059 104150->104132 104151->104132 104152->104140 104153->104073 104154->104073 104155->104078 104157 8260cb 104156->104157 104158 8260e8 104156->104158 104157->104158 104160 8260ab 59 API calls Mailbox 104157->104160 104158->104105 104160->104157 104161 7d3633 104162 7d366a 104161->104162 104163 7d3688 104162->104163 104164 7d36e7 104162->104164 104165 7d36e5 104162->104165 104166 7d374b PostQuitMessage 104163->104166 104167 7d3695 104163->104167 104169 7d36ed 104164->104169 104170 80d0cc 104164->104170 104168 7d36ca DefWindowProcW 104165->104168 104176 7d36d8 104166->104176 104174 80d154 104167->104174 104175 7d36a0 104167->104175 104168->104176 104171 7d3715 SetTimer RegisterWindowMessageW 104169->104171 104172 7d36f2 104169->104172 104210 7e1070 10 API calls Mailbox 104170->104210 104171->104176 104180 7d373e CreatePopupMenu 104171->104180 104177 7d36f9 KillTimer 104172->104177 104178 80d06f 104172->104178 104215 832527 71 API calls _memset 104174->104215 104181 7d36a8 104175->104181 104182 7d3755 104175->104182 104206 7d443a Shell_NotifyIconW _memset 104177->104206 104190 80d074 104178->104190 104191 80d0a8 MoveWindow 104178->104191 104179 80d0f3 104211 7e1093 341 API calls Mailbox 104179->104211 104180->104176 104186 80d139 104181->104186 104187 7d36b3 104181->104187 104208 7d44a0 64 API calls _memset 104182->104208 104186->104168 104214 827c36 59 API calls Mailbox 104186->104214 104193 7d36be 104187->104193 104194 80d124 104187->104194 104188 80d166 104188->104168 104188->104176 104196 80d097 SetFocus 104190->104196 104197 80d078 104190->104197 104191->104176 104192 7d370c 104207 7d3114 DeleteObject DestroyWindow Mailbox 104192->104207 104193->104168 104212 7d443a Shell_NotifyIconW _memset 104193->104212 104213 832d36 81 API calls _memset 104194->104213 104195 7d3764 104195->104176 104196->104176 104197->104193 104201 80d081 104197->104201 104209 7e1070 10 API calls Mailbox 104201->104209 104204 80d118 104205 7d434a 68 API calls 104204->104205 104205->104165 104206->104192 104207->104176 104208->104195 104209->104176 104210->104179 104211->104193 104212->104204 104213->104195 104214->104165 104215->104188

                                                                    Executed Functions

                                                                    Function 007D3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B68
                                                                    • IsDebuggerPresent.KERNEL32 ref: 007D3B7A
                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,008952F8,008952E0,?,?), ref: 007D3BEB
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                      • Part of subcall function 007E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007D3C14,008952F8,?,?,?), ref: 007E096E
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C6F
                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00887770,00000010), ref: 0080D281
                                                                    • SetCurrentDirectoryW.KERNEL32(?,008952F8,?,?,?), ref: 0080D2B9
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00884260,008952F8,?,?,?), ref: 0080D33F
                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0080D346
                                                                      • Part of subcall function 007D3A46: GetSysColorBrush.USER32(0000000F), ref: 007D3A50
                                                                      • Part of subcall function 007D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 007D3A5F
                                                                      • Part of subcall function 007D3A46: LoadIconW.USER32(00000063), ref: 007D3A76
                                                                      • Part of subcall function 007D3A46: LoadIconW.USER32(000000A4), ref: 007D3A88
                                                                      • Part of subcall function 007D3A46: LoadIconW.USER32(000000A2), ref: 007D3A9A
                                                                      • Part of subcall function 007D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AC0
                                                                      • Part of subcall function 007D3A46: RegisterClassExW.USER32(?), ref: 007D3B16
                                                                      • Part of subcall function 007D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A03
                                                                      • Part of subcall function 007D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A24
                                                                      • Part of subcall function 007D39D5: ShowWindow.USER32(00000000,?,?), ref: 007D3A38
                                                                      • Part of subcall function 007D39D5: ShowWindow.USER32(00000000,?,?), ref: 007D3A41
                                                                      • Part of subcall function 007D434A: _memset.LIBCMT ref: 007D4370
                                                                      • Part of subcall function 007D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D4415
                                                                    Strings
                                                                    • runas, xrefs: 0080D33A
                                                                    • This is a third-party compiled AutoIt script., xrefs: 0080D279
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                    • API String ID: 529118366-3287110873
                                                                    • Opcode ID: 5d440573b7b4134a64e5429054179d5b5fae41e44fdad881a287c33d355877d2
                                                                    • Instruction ID: 27209713c7721f34f405f246791034ebf87a865135e4764beac76ccb2ce0ef88
                                                                    • Opcode Fuzzy Hash: 5d440573b7b4134a64e5429054179d5b5fae41e44fdad881a287c33d355877d2
                                                                    • Instruction Fuzzy Hash: 2151E070908248EEDF02BBF4DC099ED7B79FB04710F084067F515A23A2EA785645CB22
                                                                    Function 007D49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 996 7d49a0-7d4a00 call 7d7667 GetVersionExW call 7d7bcc 1001 7d4b0b-7d4b0d 996->1001 1002 7d4a06 996->1002 1003 80d767-80d773 1001->1003 1004 7d4a09-7d4a0e 1002->1004 1005 80d774-80d778 1003->1005 1006 7d4a14 1004->1006 1007 7d4b12-7d4b13 1004->1007 1009 80d77a 1005->1009 1010 80d77b-80d787 1005->1010 1008 7d4a15-7d4a4c call 7d7d2c call 7d7726 1006->1008 1007->1008 1018 80d864-80d867 1008->1018 1019 7d4a52-7d4a53 1008->1019 1009->1010 1010->1005 1012 80d789-80d78e 1010->1012 1012->1004 1014 80d794-80d79b 1012->1014 1014->1003 1016 80d79d 1014->1016 1020 80d7a2-80d7a5 1016->1020 1021 80d880-80d884 1018->1021 1022 80d869 1018->1022 1019->1020 1023 7d4a59-7d4a64 1019->1023 1024 80d7ab-80d7c9 1020->1024 1025 7d4a93-7d4aaa GetCurrentProcess IsWow64Process 1020->1025 1030 80d886-80d88f 1021->1030 1031 80d86f-80d878 1021->1031 1026 80d86c 1022->1026 1027 7d4a6a-7d4a6c 1023->1027 1028 80d7ea-80d7f0 1023->1028 1024->1025 1029 80d7cf-80d7d5 1024->1029 1032 7d4aac 1025->1032 1033 7d4aaf-7d4ac0 1025->1033 1026->1031 1034 80d805-80d811 1027->1034 1035 7d4a72-7d4a75 1027->1035 1038 80d7f2-80d7f5 1028->1038 1039 80d7fa-80d800 1028->1039 1036 80d7d7-80d7da 1029->1036 1037 80d7df-80d7e5 1029->1037 1030->1026 1040 80d891-80d894 1030->1040 1031->1021 1032->1033 1041 7d4b2b-7d4b35 GetSystemInfo 1033->1041 1042 7d4ac2-7d4ad2 call 7d4b37 1033->1042 1046 80d813-80d816 1034->1046 1047 80d81b-80d821 1034->1047 1043 80d831-80d834 1035->1043 1044 7d4a7b-7d4a8a 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1031 1045 7d4af8-7d4b08 1041->1045 1053 7d4b1f-7d4b29 GetSystemInfo 1042->1053 1054 7d4ad4-7d4ae1 call 7d4b37 1042->1054 1043->1025 1052 80d83a-80d84f 1043->1052 1049 80d826-80d82c 1044->1049 1050 7d4a90 1044->1050 1046->1025 1047->1025 1049->1025 1050->1025 1055 80d851-80d854 1052->1055 1056 80d859-80d85f 1052->1056 1057 7d4ae9-7d4aed 1053->1057 1061 7d4b18-7d4b1d 1054->1061 1062 7d4ae3-7d4ae7 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1045 1060 7d4aef-7d4af2 FreeLibrary 1057->1060 1060->1045 1061->1062 1062->1057
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 007D49CD
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    • GetCurrentProcess.KERNEL32(?,0085FAEC,00000000,00000000,?), ref: 007D4A9A
                                                                    • IsWow64Process.KERNEL32(00000000), ref: 007D4AA1
                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 007D4AE7
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 007D4AF2
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 007D4B23
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 007D4B2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                    • String ID:
                                                                    • API String ID: 1986165174-0
                                                                    • Opcode ID: 2569a26ec4001b28e89bf13935cca7f02876e8917f598783737f7b6918c7cb50
                                                                    • Instruction ID: 0ec9ee20bf538fee004072959ba1c7cf990e89789136799cfc44128ee12ea42d
                                                                    • Opcode Fuzzy Hash: 2569a26ec4001b28e89bf13935cca7f02876e8917f598783737f7b6918c7cb50
                                                                    • Instruction Fuzzy Hash: 4B9193319897C0DAC731DB68D9545AABFF5BF6A300B448DAED0C693B42D238A508C769
                                                                    Function 007D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1063 7d4e89-7d4ea1 CreateStreamOnHGlobal 1064 7d4ec1-7d4ec6 1063->1064 1065 7d4ea3-7d4eba FindResourceExW 1063->1065 1066 80d933-80d942 LoadResource 1065->1066 1067 7d4ec0 1065->1067 1066->1067 1068 80d948-80d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 80d95c-80d967 LockResource 1068->1069 1069->1067 1070 80d96d-80d98b 1069->1070 1070->1067
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007D4D8E,?,?,00000000,00000000), ref: 007D4E99
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007D4D8E,?,?,00000000,00000000), ref: 007D4EB0
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F), ref: 0080D937
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F), ref: 0080D94C
                                                                    • LockResource.KERNEL32(007D4D8E,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F,00000000), ref: 0080D95F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: 03dfafab355795da916a72996181e33ef75dc4757fa4949fa76cf9f31c2be146
                                                                    • Instruction ID: 3bc2c9e8e9f10b993ed5f91816e32d242c3d1298084019d8a8d32d73af80fb59
                                                                    • Opcode Fuzzy Hash: 03dfafab355795da916a72996181e33ef75dc4757fa4949fa76cf9f31c2be146
                                                                    • Instruction Fuzzy Hash: DB117CB5240700BFD7218BA5EC48F677BBAFBC5B12F20426DF506C6290DB75EC008A61
                                                                    Function 0083445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,0080E398), ref: 0083446A
                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0083447B
                                                                    • FindClose.KERNEL32(00000000), ref: 0083448B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                    • String ID:
                                                                    • API String ID: 48322524-0
                                                                    • Opcode ID: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
                                                                    • Instruction ID: 6970f719103c1f6b2ca53b0145ec68f189669ca6254b62ac48c56096940615b0
                                                                    • Opcode Fuzzy Hash: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
                                                                    • Instruction Fuzzy Hash: 8BE0D8724116046752106B38EC0D4E9775CFE45336F100725FA35D21E0E778690096DA
                                                                    Function 007E09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0A5B
                                                                    • timeGetTime.WINMM ref: 007E0D16
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0E53
                                                                    • Sleep.KERNEL32(0000000A), ref: 007E0E61
                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 007E0EFA
                                                                    • DestroyWindow.USER32 ref: 007E0F06
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E0F20
                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00814E83
                                                                    • TranslateMessage.USER32(?), ref: 00815C60
                                                                    • DispatchMessageW.USER32(?), ref: 00815C6E
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00815C82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                    • API String ID: 4212290369-3242690629
                                                                    • Opcode ID: 09095732edbd1d0b77ac8c9643aa36fbb2c810df68baa59f08face8f67f26579
                                                                    • Instruction ID: 466eb7bedb9c4b260d77c67f9ec8e80511409b4ceac9366242a73c56065a0f88
                                                                    • Opcode Fuzzy Hash: 09095732edbd1d0b77ac8c9643aa36fbb2c810df68baa59f08face8f67f26579
                                                                    • Instruction Fuzzy Hash: 3EB2B270609781DFD724DF24C884BAAB7E9FF84304F14491EE599D72A1DB78E884CB92
                                                                    Function 00839155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00838F5F: __time64.LIBCMT ref: 00838F69
                                                                      • Part of subcall function 007D4EE5: _fseek.LIBCMT ref: 007D4EFD
                                                                    • __wsplitpath.LIBCMT ref: 00839234
                                                                      • Part of subcall function 007F40FB: __wsplitpath_helper.LIBCMT ref: 007F413B
                                                                    • _wcscpy.LIBCMT ref: 00839247
                                                                    • _wcscat.LIBCMT ref: 0083925A
                                                                    • __wsplitpath.LIBCMT ref: 0083927F
                                                                    • _wcscat.LIBCMT ref: 00839295
                                                                    • _wcscat.LIBCMT ref: 008392A8
                                                                      • Part of subcall function 00838FA5: _memmove.LIBCMT ref: 00838FDE
                                                                      • Part of subcall function 00838FA5: _memmove.LIBCMT ref: 00838FED
                                                                    • _wcscmp.LIBCMT ref: 008391EF
                                                                      • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839824
                                                                      • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839837
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00839452
                                                                    • _wcsncpy.LIBCMT ref: 008394C5
                                                                    • DeleteFileW.KERNEL32(?,?), ref: 008394FB
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00839511
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00839522
                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00839534
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                    • String ID:
                                                                    • API String ID: 1500180987-0
                                                                    • Opcode ID: 1bb00bdfef809b7184136178e99c2dbbbe7cc816885273823d2985dac45af175
                                                                    • Instruction ID: 440a44be1bf92e077a298657676db57d682f6ac0bda022f8ff4a0614a33c95c1
                                                                    • Opcode Fuzzy Hash: 1bb00bdfef809b7184136178e99c2dbbbe7cc816885273823d2985dac45af175
                                                                    • Instruction Fuzzy Hash: 46C12BB1D0021DABDF21DF95CC85AEEB7B9FF85310F0040A6F609E6251DB749A848FA5
                                                                    Function 007D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                                    • RegisterClassExW.USER32(00000030), ref: 007D309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                                    • LoadIconW.USER32(000000A9), ref: 007D30F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: 54943ba9fa86c84e4ac161e1b30f82ee503d292ba6e52dea8b836f33b7ccc238
                                                                    • Instruction ID: af1198dc83f4f53ac5c6070f80c69e1a20d2c9aa8fcbdfa9cab8d91c8e787f96
                                                                    • Opcode Fuzzy Hash: 54943ba9fa86c84e4ac161e1b30f82ee503d292ba6e52dea8b836f33b7ccc238
                                                                    • Instruction Fuzzy Hash: 19310871805749AFDB029FA4EC89B9ABFF0FB09311F18416AE690EA2A1D3B90545CF51
                                                                    Function 007D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                                    • RegisterClassExW.USER32(00000030), ref: 007D309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                                    • LoadIconW.USER32(000000A9), ref: 007D30F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: 63be0cf846c53a0db4ea659cdf1bdac0e15e3178513e1dc85ba3046d340626c9
                                                                    • Instruction ID: 2cbfb19dc4eb925e0c9600b161ef5a022fda9144aa535d07e18cb7d63317d4d7
                                                                    • Opcode Fuzzy Hash: 63be0cf846c53a0db4ea659cdf1bdac0e15e3178513e1dc85ba3046d340626c9
                                                                    • Instruction Fuzzy Hash: 3F21C3B1911718AFDB01EFA4E889BDEBBF4FB08711F04412AFA11A62A1D7B54544CF91
                                                                    Function 007D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 007D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008952F8,?,007D37AE,?), ref: 007D4724
                                                                      • Part of subcall function 007F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007D7165), ref: 007F052D
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007D71A8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080E8C8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0080E909
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0080E947
                                                                    • _wcscat.LIBCMT ref: 0080E9A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                    • API String ID: 2673923337-2727554177
                                                                    • Opcode ID: dd068626fbcc377822e74c4f0d18b094e406739d0158fbdfbbcf945fe72577ce
                                                                    • Instruction ID: 512b4e0124eab855b5c429451545784110c8d81b2ebe2c83a3f1c7dc7b31b349
                                                                    • Opcode Fuzzy Hash: dd068626fbcc377822e74c4f0d18b094e406739d0158fbdfbbcf945fe72577ce
                                                                    • Instruction Fuzzy Hash: 9A717A71508301DEC304EFA9EC459ABBBB8FF84350B48092FF545C72A1EB759948CB92
                                                                    Function 007D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 007D3A50
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 007D3A5F
                                                                    • LoadIconW.USER32(00000063), ref: 007D3A76
                                                                    • LoadIconW.USER32(000000A4), ref: 007D3A88
                                                                    • LoadIconW.USER32(000000A2), ref: 007D3A9A
                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AC0
                                                                    • RegisterClassExW.USER32(?), ref: 007D3B16
                                                                      • Part of subcall function 007D3041: GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                                      • Part of subcall function 007D3041: RegisterClassExW.USER32(00000030), ref: 007D309E
                                                                      • Part of subcall function 007D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                                      • Part of subcall function 007D3041: InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                                      • Part of subcall function 007D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                                      • Part of subcall function 007D3041: LoadIconW.USER32(000000A9), ref: 007D30F2
                                                                      • Part of subcall function 007D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: c1a64b1fa2a85bf891ea337c5b049300c7afa49cd88b0408323ce27ecb800e87
                                                                    • Instruction ID: 657f5185e5b6d81cd0d977b5a95da35e950544971ace293d8515b50468c53809
                                                                    • Opcode Fuzzy Hash: c1a64b1fa2a85bf891ea337c5b049300c7afa49cd88b0408323ce27ecb800e87
                                                                    • Instruction Fuzzy Hash: A7212B71D00304AFEB12EFE4EC59B9D7BB5FB08711F14416BF604A62A1D3B956508F94
                                                                    Function 007D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 767 7d3633-7d3681 769 7d36e1-7d36e3 767->769 770 7d3683-7d3686 767->770 769->770 773 7d36e5 769->773 771 7d3688-7d368f 770->771 772 7d36e7 770->772 774 7d374b-7d3753 PostQuitMessage 771->774 775 7d3695-7d369a 771->775 777 7d36ed-7d36f0 772->777 778 80d0cc-80d0fa call 7e1070 call 7e1093 772->778 776 7d36ca-7d36d2 DefWindowProcW 773->776 784 7d3711-7d3713 774->784 782 80d154-80d168 call 832527 775->782 783 7d36a0-7d36a2 775->783 785 7d36d8-7d36de 776->785 779 7d3715-7d373c SetTimer RegisterWindowMessageW 777->779 780 7d36f2-7d36f3 777->780 813 80d0ff-80d106 778->813 779->784 789 7d373e-7d3749 CreatePopupMenu 779->789 786 7d36f9-7d370c KillTimer call 7d443a call 7d3114 780->786 787 80d06f-80d072 780->787 782->784 806 80d16e 782->806 790 7d36a8-7d36ad 783->790 791 7d3755-7d3764 call 7d44a0 783->791 784->785 786->784 799 80d074-80d076 787->799 800 80d0a8-80d0c7 MoveWindow 787->800 789->784 795 80d139-80d140 790->795 796 7d36b3-7d36b8 790->796 791->784 795->776 802 80d146-80d14f call 827c36 795->802 804 7d36be-7d36c4 796->804 805 80d124-80d134 call 832d36 796->805 808 80d097-80d0a3 SetFocus 799->808 809 80d078-80d07b 799->809 800->784 802->776 804->776 804->813 805->784 806->776 808->784 809->804 814 80d081-80d092 call 7e1070 809->814 813->776 818 80d10c-80d11f call 7d443a call 7d434a 813->818 814->784 818->776
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 007D36D2
                                                                    • KillTimer.USER32(?,00000001), ref: 007D36FC
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D371F
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D372A
                                                                    • CreatePopupMenu.USER32 ref: 007D373E
                                                                    • PostQuitMessage.USER32(00000000), ref: 007D374D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: 710ce5d4da69f2a340d60cd2bcf2f5dff766c27f9fb88f55582111db3842eb21
                                                                    • Instruction ID: a693d97c0998d44b745118e933f1cd9e6940ab0044dde10a76426e524792f128
                                                                    • Opcode Fuzzy Hash: 710ce5d4da69f2a340d60cd2bcf2f5dff766c27f9fb88f55582111db3842eb21
                                                                    • Instruction Fuzzy Hash: 2841F4B2200A45FBDB117FA8DC49B7A3B78FB04311F180127F602D63E2DA6D9A549763
                                                                    Function 007D3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                    • API String ID: 1825951767-3513169116
                                                                    • Opcode ID: 2c0504a359f4738913a3dfe87b3be8e2dcb39539c52446f9fb55ea856b6ebd75
                                                                    • Instruction ID: 9aaa5bab50b41af6ac2b43c8119f7859cdb0dff06e09eeb0df4d1c032acd65ee
                                                                    • Opcode Fuzzy Hash: 2c0504a359f4738913a3dfe87b3be8e2dcb39539c52446f9fb55ea856b6ebd75
                                                                    • Instruction Fuzzy Hash: 1BA13D7191021DDACF05EBE4DC99AEEB779FF14310F48042AE515B7291EF786A08CB61
                                                                    Function 011B4360 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 942 11b4360-11b440e call 11b1d60 945 11b4415-11b443b call 11b5270 CreateFileW 942->945 948 11b443d 945->948 949 11b4442-11b4452 945->949 950 11b458d-11b4591 948->950 954 11b4459-11b4473 VirtualAlloc 949->954 955 11b4454 949->955 951 11b45d3-11b45d6 950->951 952 11b4593-11b4597 950->952 956 11b45d9-11b45e0 951->956 957 11b4599-11b459c 952->957 958 11b45a3-11b45a7 952->958 959 11b447a-11b4491 ReadFile 954->959 960 11b4475 954->960 955->950 961 11b45e2-11b45ed 956->961 962 11b4635-11b464a 956->962 957->958 963 11b45a9-11b45b3 958->963 964 11b45b7-11b45bb 958->964 967 11b4498-11b44d8 VirtualAlloc 959->967 968 11b4493 959->968 960->950 969 11b45ef 961->969 970 11b45f1-11b45fd 961->970 971 11b465a-11b4662 962->971 972 11b464c-11b4657 VirtualFree 962->972 963->964 965 11b45cb 964->965 966 11b45bd-11b45c7 964->966 965->951 966->965 973 11b44da 967->973 974 11b44df-11b44fa call 11b54c0 967->974 968->950 969->962 975 11b45ff-11b460f 970->975 976 11b4611-11b461d 970->976 972->971 973->950 982 11b4505-11b450f 974->982 978 11b4633 975->978 979 11b462a-11b4630 976->979 980 11b461f-11b4628 976->980 978->956 979->978 980->978 983 11b4542-11b4556 call 11b52d0 982->983 984 11b4511-11b4540 call 11b54c0 982->984 989 11b455a-11b455e 983->989 990 11b4558 983->990 984->982 992 11b456a-11b456e 989->992 993 11b4560-11b4564 CloseHandle 989->993 990->950 994 11b457e-11b4587 992->994 995 11b4570-11b457b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011B4431
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011B4657
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101978127.00000000011B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_11b1000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                    • Instruction ID: 8d4574884f91142f51ce75c4b6c4319cc43fd35b581c20510913adb7efaf948b
                                                                    • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                    • Instruction Fuzzy Hash: 1DA11A70E00209EBDB18CFA4C894BEEBBB5FF48304F108559E606BB681D7759A85CF65
                                                                    Function 007D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1073 7d39d5-7d3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A03
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A24
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 007D3A38
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 007D3A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: 561c061b80a5ba0672228fb203e3c96bfdc152120c2a6e39e2d943fd2193f710
                                                                    • Instruction ID: 9b37ce0ea63418d7b0576f689d4b0cbd1eb72b529a926bcb36bbbc5b442ddb84
                                                                    • Opcode Fuzzy Hash: 561c061b80a5ba0672228fb203e3c96bfdc152120c2a6e39e2d943fd2193f710
                                                                    • Instruction Fuzzy Hash: F1F03A705006907EEA3267A36C08E2B3E7DF7CAF51F04002ABA00A21B1C2651800CBB0
                                                                    Function 011B4110 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1074 11b4110-11b4255 call 11b1d60 call 11b4000 CreateFileW 1081 11b425c-11b426c 1074->1081 1082 11b4257 1074->1082 1085 11b426e 1081->1085 1086 11b4273-11b428d VirtualAlloc 1081->1086 1083 11b430c-11b4311 1082->1083 1085->1083 1087 11b428f 1086->1087 1088 11b4291-11b42a8 ReadFile 1086->1088 1087->1083 1089 11b42aa 1088->1089 1090 11b42ac-11b42e6 call 11b4040 call 11b3000 1088->1090 1089->1083 1095 11b42e8-11b42fd call 11b4090 1090->1095 1096 11b4302-11b430a ExitProcess 1090->1096 1095->1096 1096->1083
                                                                    APIs
                                                                      • Part of subcall function 011B4000: Sleep.KERNELBASE(000001F4), ref: 011B4011
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011B424B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101978127.00000000011B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_11b1000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileSleep
                                                                    • String ID: RZ9I5ZJWZAXFMH76HWUP5RJ8KFZ
                                                                    • API String ID: 2694422964-2583491945
                                                                    • Opcode ID: 273804a7309462f60437ee3240019a85de727f320dc7f6fe368d79c4923b0511
                                                                    • Instruction ID: 4b162662b5b9c1f1534162559f74beca0a8def53c5376a864335f966d944ddad
                                                                    • Opcode Fuzzy Hash: 273804a7309462f60437ee3240019a85de727f320dc7f6fe368d79c4923b0511
                                                                    • Instruction Fuzzy Hash: EE616230D04288DAEF15DBE8D854BDFBB74AF19304F048199E2597B2C1D7B90A49CB66
                                                                    Function 007D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1098 7d407c-7d4092 1099 7d416f-7d4173 1098->1099 1100 7d4098-7d40ad call 7d7a16 1098->1100 1103 80d3c8-80d3d7 LoadStringW 1100->1103 1104 7d40b3-7d40d3 call 7d7bcc 1100->1104 1107 80d3e2-80d3fa call 7d7b2e call 7d6fe3 1103->1107 1104->1107 1108 7d40d9-7d40dd 1104->1108 1118 7d40ed-7d416a call 7f2de0 call 7d454e call 7f2dbc Shell_NotifyIconW call 7d5904 1107->1118 1120 80d400-80d41e call 7d7cab call 7d6fe3 call 7d7cab 1107->1120 1110 7d4174-7d417d call 7d8047 1108->1110 1111 7d40e3-7d40e8 call 7d7b2e 1108->1111 1110->1118 1111->1118 1118->1099 1120->1118
                                                                    APIs
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0080D3D7
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    • _memset.LIBCMT ref: 007D40FC
                                                                    • _wcscpy.LIBCMT ref: 007D4150
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D4160
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                    • String ID: Line:
                                                                    • API String ID: 3942752672-1585850449
                                                                    • Opcode ID: dfadbe58a750fa574b3a6ea06ac59b5db82c9871f2ba347f268d56f4ad850883
                                                                    • Instruction ID: 5ae0a2a4e278a9d1d3e532a610d4bac63dc993c8c662b4100e36236c9ce960b6
                                                                    • Opcode Fuzzy Hash: dfadbe58a750fa574b3a6ea06ac59b5db82c9871f2ba347f268d56f4ad850883
                                                                    • Instruction Fuzzy Hash: 41319071008704AFD765EBA0DC49BEB77ECBF44300F14451BF68592292EB78A648C796
                                                                    Function 007F541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1133 7f541d-7f5436 1134 7f5438-7f543d 1133->1134 1135 7f5453 1133->1135 1134->1135 1136 7f543f-7f5441 1134->1136 1137 7f5455-7f545b 1135->1137 1138 7f545c-7f5461 1136->1138 1139 7f5443-7f5448 call 7f8b28 1136->1139 1141 7f546f-7f5473 1138->1141 1142 7f5463-7f546d 1138->1142 1150 7f544e call 7f8db6 1139->1150 1145 7f5475-7f5480 call 7f2de0 1141->1145 1146 7f5483-7f5485 1141->1146 1142->1141 1144 7f5493-7f54a2 1142->1144 1148 7f54a9 1144->1148 1149 7f54a4-7f54a7 1144->1149 1145->1146 1146->1139 1147 7f5487-7f5491 1146->1147 1147->1139 1147->1144 1153 7f54ae-7f54b3 1148->1153 1149->1153 1150->1135 1155 7f559c-7f559f 1153->1155 1156 7f54b9-7f54c0 1153->1156 1155->1137 1157 7f54c2-7f54ca 1156->1157 1158 7f5501-7f5503 1156->1158 1157->1158 1161 7f54cc 1157->1161 1159 7f556d-7f556e call 800ba7 1158->1159 1160 7f5505-7f5507 1158->1160 1168 7f5573-7f5577 1159->1168 1163 7f552b-7f5536 1160->1163 1164 7f5509-7f5511 1160->1164 1165 7f55ca 1161->1165 1166 7f54d2-7f54d4 1161->1166 1171 7f553a-7f553d 1163->1171 1172 7f5538 1163->1172 1169 7f5513-7f551f 1164->1169 1170 7f5521-7f5525 1164->1170 1167 7f55ce-7f55d7 1165->1167 1173 7f54db-7f54e0 1166->1173 1174 7f54d6-7f54d8 1166->1174 1167->1137 1168->1167 1175 7f5579-7f557e 1168->1175 1176 7f5527-7f5529 1169->1176 1170->1176 1177 7f553f-7f554b call 7f46e6 call 800e5b 1171->1177 1178 7f55a4-7f55a8 1171->1178 1172->1171 1173->1178 1179 7f54e6-7f54ff call 800cc8 1173->1179 1174->1173 1175->1178 1180 7f5580-7f5591 1175->1180 1176->1171 1194 7f5550-7f5555 1177->1194 1181 7f55ba-7f55c5 call 7f8b28 1178->1181 1182 7f55aa-7f55b7 call 7f2de0 1178->1182 1190 7f5562-7f556b 1179->1190 1185 7f5594-7f5596 1180->1185 1181->1150 1182->1181 1185->1155 1185->1156 1190->1185 1195 7f55dc-7f55e0 1194->1195 1196 7f555b-7f555e 1194->1196 1195->1167 1196->1165 1197 7f5560 1196->1197 1197->1190
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1559183368-0
                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                    • Instruction ID: 341f0f7de184cab9a829c34f00882396dc76444b4d171943c14d11cb787bea47
                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                    • Instruction Fuzzy Hash: 2551B170A00B0DDBDB248FA9D88467E77A3AF40321F248729FB25973D1D7789DA18B41
                                                                    Function 007D686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E0F
                                                                    • _free.LIBCMT ref: 0080E263
                                                                    • _free.LIBCMT ref: 0080E2AA
                                                                      • Part of subcall function 007D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6BAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                    • API String ID: 2861923089-1757145024
                                                                    • Opcode ID: ad50926d6456e8c09b0e5798eb9288921c57cd6b15298d2c1374dc19ed3931f0
                                                                    • Instruction ID: 06dfae741f705a45a0a9e96f7901e9390026614616d643647964f4d12187ff66
                                                                    • Opcode Fuzzy Hash: ad50926d6456e8c09b0e5798eb9288921c57cd6b15298d2c1374dc19ed3931f0
                                                                    • Instruction Fuzzy Hash: BB914A71A00219EFCF14EFA4CC959EEB7B9FF14314B14482AF915EB2A1DB74A905CB50
                                                                    Function 007D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007D35A1,SwapMouseButtons,00000004,?), ref: 007D35D4
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D35F5
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D3617
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
                                                                    • Instruction ID: 83b8e37d228e8c6ecc264d487ce41b7155355c5c4462a2f2482eeaa813947855
                                                                    • Opcode Fuzzy Hash: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
                                                                    • Instruction Fuzzy Hash: 7F110375611218FADB208F64DC84EAABBB8EF04740F11856AB905D7210E6759E509BA2
                                                                    Function 011B3000 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 011B382D
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B3851
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B3873
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101978127.00000000011B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_11b1000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
                                                                    • Instruction ID: 4770e064e68769a87b0bffbbb99b17ed4f27c54e24eaede461a32b715be943d8
                                                                    • Opcode Fuzzy Hash: 6e999cef06aac06fcde311c2673bbf8567a4d88a660ea8880241fb15dada5407
                                                                    • Instruction Fuzzy Hash: 3A620B30A142589BEB28CFA4C890BDEB772FF58300F1091A9D11DEB394E7759E91CB59
                                                                    Function 0083955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4EE5: _fseek.LIBCMT ref: 007D4EFD
                                                                      • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839824
                                                                      • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839837
                                                                    • _free.LIBCMT ref: 008396A2
                                                                    • _free.LIBCMT ref: 008396A9
                                                                    • _free.LIBCMT ref: 00839714
                                                                      • Part of subcall function 007F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9A24), ref: 007F2D69
                                                                      • Part of subcall function 007F2D55: GetLastError.KERNEL32(00000000,?,007F9A24), ref: 007F2D7B
                                                                    • _free.LIBCMT ref: 0083971C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                    • String ID:
                                                                    • API String ID: 1552873950-0
                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction ID: 3a5ab82d76b064bd807a9907729354e016896a7bd704cb2d7445598d89a3659c
                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction Fuzzy Hash: 32513CB1904218EBDF249F64CC85AAEBBB9FF88300F10449EF649A3351DB755A818F59
                                                                    Function 007F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                    • String ID:
                                                                    • API String ID: 2782032738-0
                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction ID: 2d9d3f6fbed902ecff2d2d8771687d3c1b1d9480e785cf75b29ab03764bd44aa
                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction Fuzzy Hash: EE41D374A0074EEBDB189E69C8849BF7BA5EF423A0B24813DEA15C7740EB78DD408B50
                                                                    Function 007D7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0080EA39
                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0080EA83
                                                                      • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                                      • Part of subcall function 007F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F07B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                    • String ID: X
                                                                    • API String ID: 3777226403-3081909835
                                                                    • Opcode ID: 2645f085df251a142005be0d3b219b607f7ebf68cb21273ff7f902aee128b9ce
                                                                    • Instruction ID: 99378a629945d402f815f28c2d3ebad2e890f254607a57c3d16f5dbf086dfad9
                                                                    • Opcode Fuzzy Hash: 2645f085df251a142005be0d3b219b607f7ebf68cb21273ff7f902aee128b9ce
                                                                    • Instruction Fuzzy Hash: BD219F71A00258DBCB559BD4CC49AEE7BF8BF48310F04405AE508E7381DBB85989CFA1
                                                                    Function 00838D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock_memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 1988441806-3962188686
                                                                    • Opcode ID: c0c2926c8370a76b46662b4668c4b34878c030cb3f5bb03990082b62f8fec40d
                                                                    • Instruction ID: 8bd3186716ef2870dcb57ce3e837453c647688825d3aac942657fc9265d33bcd
                                                                    • Opcode Fuzzy Hash: c0c2926c8370a76b46662b4668c4b34878c030cb3f5bb03990082b62f8fec40d
                                                                    • Instruction Fuzzy Hash: 1801F97180421CBEDB18DAA8CC1AEFE7BF8DB11301F00419AF652D2281E878E60487A0
                                                                    Function 008398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 008398F8
                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0083990F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: 0e6ce88b0734726beab6279e59b9d3e1c968ec3bf9015a18402c8fde54d8147b
                                                                    • Instruction ID: 444e2d7f764a3eca8cb66c49e6209b6224232d63895998b9604483b8ae357e88
                                                                    • Opcode Fuzzy Hash: 0e6ce88b0734726beab6279e59b9d3e1c968ec3bf9015a18402c8fde54d8147b
                                                                    • Instruction Fuzzy Hash: 76D05EB958030DABDB50ABA0DC0EF9A773CF704702F4002B1BB54D61A2EAB495988B91
                                                                    Function 0084CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a1f7b64eca03fb803ff0472b585efe3d4bc8dbaf5a1e26d6980a792c90dcccc
                                                                    • Instruction ID: 1666769c1169c2bf6df5e2bc9ba4cdb8c32e421614e5b94b30153524cf8c06b6
                                                                    • Opcode Fuzzy Hash: 9a1f7b64eca03fb803ff0472b585efe3d4bc8dbaf5a1e26d6980a792c90dcccc
                                                                    • Instruction Fuzzy Hash: 51F12770A083459FC754DF28C484A6ABBE9FF88314F14892EF8999B351DB74E945CF82
                                                                    Function 007DF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F0193
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F019B
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F01A6
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F01B1
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F01B9
                                                                      • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F01C1
                                                                      • Part of subcall function 007E60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007DF930), ref: 007E6154
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007DF9CD
                                                                    • OleInitialize.OLE32(00000000), ref: 007DFA4A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 008145C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 1986988660-0
                                                                    • Opcode ID: 92ad3ec00ff5f3cce05d29f4c5726b3e55d58e308b45e3f1c373dcb531cc69a1
                                                                    • Instruction ID: 1db78a3762dbf79ebcefafa42737992dddb3f776018777e5399e81dec0b4ea62
                                                                    • Opcode Fuzzy Hash: 92ad3ec00ff5f3cce05d29f4c5726b3e55d58e308b45e3f1c373dcb531cc69a1
                                                                    • Instruction Fuzzy Hash: 4C81EBF0902A40DFC786FFB9E8556187BE5FB89306758812BD109CB322EB744188CF59
                                                                    Function 007D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 007D4370
                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D4415
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D4432
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_$_memset
                                                                    • String ID:
                                                                    • API String ID: 1505330794-0
                                                                    • Opcode ID: 283a77d0dc8141b3e5302f9a5c6c7e878d07eb31e3963f63b6c09393e529f8c5
                                                                    • Instruction ID: 18aeb45c09e2f7393e7e933d07f2b91baf83b217911ad5f98c1836381a243c38
                                                                    • Opcode Fuzzy Hash: 283a77d0dc8141b3e5302f9a5c6c7e878d07eb31e3963f63b6c09393e529f8c5
                                                                    • Instruction Fuzzy Hash: FA319EB0504701DFC721EF68D88469BBBF8FB48309F00092FF69A92391E775A944CB92
                                                                    Function 007F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                                      • Part of subcall function 007FA16B: __NMSG_WRITE.LIBCMT ref: 007FA192
                                                                      • Part of subcall function 007FA16B: __NMSG_WRITE.LIBCMT ref: 007FA19C
                                                                    • __NMSG_WRITE.LIBCMT ref: 007F573A
                                                                      • Part of subcall function 007FA1C8: GetModuleFileNameW.KERNEL32(00000000,008933BA,00000104,?,00000001,00000000), ref: 007FA25A
                                                                      • Part of subcall function 007FA1C8: ___crtMessageBoxW.LIBCMT ref: 007FA308
                                                                      • Part of subcall function 007F309F: ___crtCorExitProcess.LIBCMT ref: 007F30A5
                                                                      • Part of subcall function 007F309F: ExitProcess.KERNEL32 ref: 007F30AE
                                                                      • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                                    • RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 1372826849-0
                                                                    • Opcode ID: 6cf65307aed18558defc7fee31da19bda090149fae029c37a3bea942102abeee
                                                                    • Instruction ID: b959ba22e721029be8a8adfd9c18b4fd22b926f896d572d26e0424b4e9db4443
                                                                    • Opcode Fuzzy Hash: 6cf65307aed18558defc7fee31da19bda090149fae029c37a3bea942102abeee
                                                                    • Instruction Fuzzy Hash: F501DE75340B0DEAD6113778EC8AA3E7798AF82362F210026F7199A382DE7C98004671
                                                                    Function 008398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00839548,?,?,?,?,?,00000004), ref: 008398BB
                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00839548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008398D1
                                                                    • CloseHandle.KERNEL32(00000000,?,00839548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008398D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
                                                                    • Instruction ID: f1f7a051a22b39b3b4a94103fc8461846801d692b964fbcacc37513e3b2dece7
                                                                    • Opcode Fuzzy Hash: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
                                                                    • Instruction Fuzzy Hash: 1AE08632181714B7E7222B54EC09FCA7B19FB46762F104120FB54A90E187B5151197D8
                                                                    Function 00838D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00838D1B
                                                                      • Part of subcall function 007F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9A24), ref: 007F2D69
                                                                      • Part of subcall function 007F2D55: GetLastError.KERNEL32(00000000,?,007F9A24), ref: 007F2D7B
                                                                    • _free.LIBCMT ref: 00838D2C
                                                                    • _free.LIBCMT ref: 00838D3E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction ID: 2ab5cb4b9dba3bdf2d347553e527ec451e439962b47e0ca4e38f1514bc8963dc
                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction Fuzzy Hash: AEE012A1701709C6DF24A578A945AA313DC9F98352B14091DB50DD7287CE68F8438164
                                                                    Function 007DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CALL
                                                                    • API String ID: 0-4196123274
                                                                    • Opcode ID: 19926fcf07239deaa9214c3c0c6bdb18aa9d42af8ef4f7b85a50b9a04bffbb71
                                                                    • Instruction ID: 7ccd7026de68cd4867dc1a679e2ff8afbf04f3650bd4f3fab02ad83b46812dad
                                                                    • Opcode Fuzzy Hash: 19926fcf07239deaa9214c3c0c6bdb18aa9d42af8ef4f7b85a50b9a04bffbb71
                                                                    • Instruction Fuzzy Hash: F9224B70508201DFCB24DF14C495A6AB7F1FF84314F19896EE98A9B362D739ED85CB82
                                                                    Function 007D4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 4104443479-3962188686
                                                                    • Opcode ID: 1149f2afd205a14da1228b0e01e6af3982bc47bcc419640d808e310f9ef05a12
                                                                    • Instruction ID: 1524d8d2896e33212c5b4912194b643fb0e01aeaf16783396d0133971259facd
                                                                    • Opcode Fuzzy Hash: 1149f2afd205a14da1228b0e01e6af3982bc47bcc419640d808e310f9ef05a12
                                                                    • Instruction Fuzzy Hash: 10414861B04258ABDF219B64CC957BE7BB3EB45300F284477EE86DA382D63C9D4483A1
                                                                    Function 007D47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsThemeActive.UXTHEME ref: 007D4834
                                                                      • Part of subcall function 007F336C: __lock.LIBCMT ref: 007F3372
                                                                      • Part of subcall function 007F336C: DecodePointer.KERNEL32(00000001,?,007D4849,00827C74), ref: 007F337E
                                                                      • Part of subcall function 007F336C: EncodePointer.KERNEL32(?,?,007D4849,00827C74), ref: 007F3389
                                                                      • Part of subcall function 007D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007D4915
                                                                      • Part of subcall function 007D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D492A
                                                                      • Part of subcall function 007D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B68
                                                                      • Part of subcall function 007D3B3A: IsDebuggerPresent.KERNEL32 ref: 007D3B7A
                                                                      • Part of subcall function 007D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008952F8,008952E0,?,?), ref: 007D3BEB
                                                                      • Part of subcall function 007D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C6F
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D4874
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                    • String ID:
                                                                    • API String ID: 1438897964-0
                                                                    • Opcode ID: 5a1d3750560e82a32929ef292053fbfb010fff10bcb75391bde2ce38cf58f765
                                                                    • Instruction ID: 42724fed4319c404e51756dbeaa816a650d25d083ba697d4f645047964f96ac7
                                                                    • Opcode Fuzzy Hash: 5a1d3750560e82a32929ef292053fbfb010fff10bcb75391bde2ce38cf58f765
                                                                    • Instruction Fuzzy Hash: 861189719083459FC700EFA9E80990ABBF8FF89B50F14491BF140932B1DBB4A648CB92
                                                                    Function 007D5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,007D5821,?,?,?,?), ref: 007D5CC7
                                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,007D5821,?,?,?,?), ref: 0080DD73
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: fef4b6c7694967f48855329be996f39451d0d73924dc868fb95159a6a40182e6
                                                                    • Instruction ID: 3c27f5e6d14c200081d3c6b78f945d2add2e54dc5a851ae212e925a7ee5dc6b2
                                                                    • Opcode Fuzzy Hash: fef4b6c7694967f48855329be996f39451d0d73924dc868fb95159a6a40182e6
                                                                    • Instruction Fuzzy Hash: EE018870244705BFF3210E14CC8AF7536ECEB01768F148316BBD99A2D0C6B81C458B50
                                                                    Function 007F0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F571C: __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                                      • Part of subcall function 007F571C: __NMSG_WRITE.LIBCMT ref: 007F573A
                                                                      • Part of subcall function 007F571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                                    • std::exception::exception.LIBCMT ref: 007F0DEC
                                                                    • __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                                      • Part of subcall function 007F859B: RaiseException.KERNEL32(?,?,?,00889E78,00000000,?,?,?,?,007F0E06,?,00889E78,?,00000001), ref: 007F85F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 3902256705-0
                                                                    • Opcode ID: 395179058b1292056aebc97d17ee89fee41aae1ecef002b88fec107f653387f6
                                                                    • Instruction ID: d8dc44ec3c26cd25c68274b80c90d4381891a39b321862e7e3f1b47a538b097d
                                                                    • Opcode Fuzzy Hash: 395179058b1292056aebc97d17ee89fee41aae1ecef002b88fec107f653387f6
                                                                    • Instruction Fuzzy Hash: 48F0A43190021EA6CB10BBE8EC099FE7BACEF01351F104469FB14D6382DFB89A5486D1
                                                                    Function 007F55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __lock_file_memset
                                                                    • String ID:
                                                                    • API String ID: 26237723-0
                                                                    • Opcode ID: 300f6589d5ea222ed53aed48d83fd265feb63425fd866ed0a0f7f21fda89a90d
                                                                    • Instruction ID: dfaa30339a1639e0aff266ae19ab5f9800a7855f5f0afa76a74e8cc486c88a2f
                                                                    • Opcode Fuzzy Hash: 300f6589d5ea222ed53aed48d83fd265feb63425fd866ed0a0f7f21fda89a90d
                                                                    • Instruction Fuzzy Hash: DD01D471800A0CEBCF12AF68CC0A4BE7B61AF50721F544115FB349A391DB398A11EF92
                                                                    Function 007F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                                    • __lock_file.LIBCMT ref: 007F53EB
                                                                      • Part of subcall function 007F6C11: __lock.LIBCMT ref: 007F6C34
                                                                    • __fclose_nolock.LIBCMT ref: 007F53F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2800547568-0
                                                                    • Opcode ID: 5d4faf905433a1a3e1de37217a216b23c39ced3d7a6be8751fd2bd2f39139403
                                                                    • Instruction ID: c0671fae0674d368000f8b5f76220fce69f6574397104508ba7a6a55c38c0980
                                                                    • Opcode Fuzzy Hash: 5d4faf905433a1a3e1de37217a216b23c39ced3d7a6be8751fd2bd2f39139403
                                                                    • Instruction Fuzzy Hash: DAF09071900A0CDADB51AB79D80A7BD66A06F41378F248209A764AB3C1CBFC9941AB52
                                                                    Function 007D8061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,007D542F,?,?,?,?,?), ref: 007D807A
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,007D542F,?,?,?,?,?), ref: 007D80AD
                                                                      • Part of subcall function 007D774D: _memmove.LIBCMT ref: 007D7789
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$_memmove
                                                                    • String ID:
                                                                    • API String ID: 3033907384-0
                                                                    • Opcode ID: 2a66fa69740bb1a46f144223c26f2a46e64593b3b8315a7c94be3ed49fbf23cc
                                                                    • Instruction ID: b2541c6f0b60806202f2a8238cea079ab0d7554f67f91a819f3a085161daa1e0
                                                                    • Opcode Fuzzy Hash: 2a66fa69740bb1a46f144223c26f2a46e64593b3b8315a7c94be3ed49fbf23cc
                                                                    • Instruction Fuzzy Hash: 81016D71241608BFEB256A25DD4AF7B3B6DEF85760F10802AFA05DE291EE659800C6A1
                                                                    Function 011B2FFD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 011B382D
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B3851
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B3873
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101978127.00000000011B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_11b1000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                    • Instruction ID: 11a8f436b7cf365e6be78412d5b384385e82408d49e1f9d88c47144fdf2cbdf7
                                                                    • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                    • Instruction Fuzzy Hash: 3912ED24E24658C6EB24DF64D8507DEB232FF68300F1090E9D10DEB7A5E77A4E91CB5A
                                                                    Function 007E1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8503a3a68402371aff3745aef4cf48dedaf4cdbd98b953d1e4f1791d817afc5d
                                                                    • Instruction ID: e40c1124d24f3795a3ab79a1e1d036dee6b15243aaf260652f09cc3deb181408
                                                                    • Opcode Fuzzy Hash: 8503a3a68402371aff3745aef4cf48dedaf4cdbd98b953d1e4f1791d817afc5d
                                                                    • Instruction Fuzzy Hash: 3B518131600604EFCF14EB68C995EAD77BAEF89310F144169F9469B392DB38ED01CB51
                                                                    Function 007D750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 74722da7d578c4de16107547794dad42e9ee7aef0c0b01352df76d0c5bccf52e
                                                                    • Instruction ID: 7dee39d388b25fd7ec51f90d5111cfceb0109e38c531d85c64da690eaf7d9e07
                                                                    • Opcode Fuzzy Hash: 74722da7d578c4de16107547794dad42e9ee7aef0c0b01352df76d0c5bccf52e
                                                                    • Instruction Fuzzy Hash: 9831A179608A02EFC718DF18D480A26F7B0FF49310B14C56AE98A8B791F734E851CB85
                                                                    Function 007D5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 007D5B96
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: c291c847e7f115525af2765ba4aeff3c6749cb2c428027ef4bd28e983ff24ba4
                                                                    • Instruction ID: 08b4b1379aee8e3666e2f26829335e8929dfc177e252b3bdb80b02e0d69238d4
                                                                    • Opcode Fuzzy Hash: c291c847e7f115525af2765ba4aeff3c6749cb2c428027ef4bd28e983ff24ba4
                                                                    • Instruction Fuzzy Hash: 5A313971A00B09ABCB18DF6CC884AADB7B5FF48310F14862BE81997750D774B9908B90
                                                                    Function 007F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: cd74a2443cbee5d9116be2cdd5c18865a5da2d72c7552e1860fddd5c8ad97f53
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: 2931B3B4A00109DBC718DF58C484AB9F7A6FB59300B6487A5E90ACB356D735EDC1DBE0
                                                                    Function 0080FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: 479b45a7cce20b65f54a7b44f6bbcf725eb899704b9c3cd21bc72bd76c1ad84c
                                                                    • Instruction ID: 12cb9b416569c9f753e632c600974015d649269355e42285487207fc710b0d79
                                                                    • Opcode Fuzzy Hash: 479b45a7cce20b65f54a7b44f6bbcf725eb899704b9c3cd21bc72bd76c1ad84c
                                                                    • Instruction Fuzzy Hash: D041F574604341DFDB24DF24C448B1ABBF1BF49318F0989ADE99A8B762C735E845CB52
                                                                    Function 007D59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: b9dea6f1366ce96863503b40b30819236a4c0c27b9b80e376047a7174b135513
                                                                    • Instruction ID: bf84b8be1abf62b6ca692921ec8f9a5fa0f80c227b6582ffcf225fba21fbd9cf
                                                                    • Opcode Fuzzy Hash: b9dea6f1366ce96863503b40b30819236a4c0c27b9b80e376047a7174b135513
                                                                    • Instruction Fuzzy Hash: 57212771900F08EBEB109FA5EC8467A7FB8FF00310F21846AE485C6351EBB494D0D785
                                                                    Function 007D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 007D4BEF
                                                                      • Part of subcall function 007F525B: __wfsopen.LIBCMT ref: 007F5266
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E0F
                                                                      • Part of subcall function 007D4B6A: FreeLibrary.KERNEL32(00000000), ref: 007D4BA4
                                                                      • Part of subcall function 007D4C70: _memmove.LIBCMT ref: 007D4CBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                    • String ID:
                                                                    • API String ID: 1396898556-0
                                                                    • Opcode ID: a4f3bfbd3af72a55746849b6536173333defeb0771672297f3e7ae0c7957b498
                                                                    • Instruction ID: 9fc4a7f02e160425aae30e30c51962510ac80dc2cac208bca9f0cf2426344c77
                                                                    • Opcode Fuzzy Hash: a4f3bfbd3af72a55746849b6536173333defeb0771672297f3e7ae0c7957b498
                                                                    • Instruction Fuzzy Hash: 0D119431600305FBCF15AFB4CC1AF6D77B5BF44710F10882AF545A7281DA7999059751
                                                                    Function 0080FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: 83d154f10445665eb505c3f1dd01d6ce4840bdb198e7871313df1379ab41cd5c
                                                                    • Instruction ID: 558876bca8180884a290818353d31e5687e907359135de4a330aed179d20709c
                                                                    • Opcode Fuzzy Hash: 83d154f10445665eb505c3f1dd01d6ce4840bdb198e7871313df1379ab41cd5c
                                                                    • Instruction Fuzzy Hash: A7212274A08301DFCB14DF24C844A2ABBF1BF88314F05896CE98A87722D735E808CB92
                                                                    Function 007D5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,007D56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 007D5C16
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
                                                                    • Instruction ID: 223ba2a66b818b36f475d06f5748e18e0d25f82ab1f45ed1d717bbd5650f010a
                                                                    • Opcode Fuzzy Hash: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
                                                                    • Instruction Fuzzy Hash: CA113671200B059FE3208F19C880B62B7F9FF44760F14C92FE9AA86A51D7B9F845CB60
                                                                    Function 007D5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                                    • Instruction ID: 9d4f246763f35139569acd772d3124497e232226871083f61fb2b64b33ea05f5
                                                                    • Opcode Fuzzy Hash: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                                    • Instruction Fuzzy Hash: D80171B9200501AFC305EB68C855D26F7A9FF86310714455AE919C7702D735EC21CBE0
                                                                    Function 007F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock_file.LIBCMT ref: 007F48A6
                                                                      • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2597487223-0
                                                                    • Opcode ID: 179d28f0e75c59782523a142346dc1aaa85df3447fcd0448daef161b59574fa6
                                                                    • Instruction ID: 21016ff55a2af92c4da68b2f20b766afb2624137ef0a00fd9dad3e913ea9ad98
                                                                    • Opcode Fuzzy Hash: 179d28f0e75c59782523a142346dc1aaa85df3447fcd0448daef161b59574fa6
                                                                    • Instruction Fuzzy Hash: D3F02D3290064CEBEF51AFB4CC0A3BF36A0AF00360F048404F620AA381CBBC8A50DB52
                                                                    Function 007D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 33be9a8a66be74de857e9b8d50ba130c6efb8e5e59ea9473efeafd76b709e02c
                                                                    • Instruction ID: 3ee4031154aec998dab3d3016e9641e8f189e60c754b258af396a3c3c7924c7c
                                                                    • Opcode Fuzzy Hash: 33be9a8a66be74de857e9b8d50ba130c6efb8e5e59ea9473efeafd76b709e02c
                                                                    • Instruction Fuzzy Hash: 19F03971501B11EFCB349F64E494822BBF1BF143293208A3FE2D682720C73A9840DF40
                                                                    Function 007F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F07B0
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath_memmove
                                                                    • String ID:
                                                                    • API String ID: 2514874351-0
                                                                    • Opcode ID: 87a104672cd195426ae3a5d625981938ec6186864f72e93a9f71d6beb2b20f0a
                                                                    • Instruction ID: 05c62e28cbb162be53638b890ebfaa99eddac8b6e14cf657b4bd922f6c7e48ea
                                                                    • Opcode Fuzzy Hash: 87a104672cd195426ae3a5d625981938ec6186864f72e93a9f71d6beb2b20f0a
                                                                    • Instruction Fuzzy Hash: 42E0867690422857C720A6689C09FEA77EDEF887A1F0441B6FD0CD7245D9649C808691
                                                                    Function 00838E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock
                                                                    • String ID:
                                                                    • API String ID: 2638373210-0
                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                    • Instruction ID: fe800256c6cabd040b840ec2c40348186dd142c42a127d2ba028b74a197686ab
                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                    • Instruction Fuzzy Hash: 32E092B0104B049FD7398A24D800BA373E1FB05305F00081DF2AAC3241EBA278458B59
                                                                    Function 007D5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0080DD42,?,?,00000000), ref: 007D5C5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
                                                                    • Instruction ID: e03f1f408f36e83c6b86c2895397eb39c46ed41a0afd312eba615ecd02afc872
                                                                    • Opcode Fuzzy Hash: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
                                                                    • Instruction Fuzzy Hash: 73D09E74640208BFE610DB80DC46FAA777CE705711F100194BE049629096B27D508695
                                                                    Function 007F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __wfsopen
                                                                    • String ID:
                                                                    • API String ID: 197181222-0
                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction ID: 1154f6df7036aefbd2a944a030eb32af77ae0be763951e4404f881d1a3aa6a75
                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction Fuzzy Hash: 2FB092B644020CB7CE012A82FC02A593F19AB41764F408020FB0C18262A677A6649A89
                                                                    Function 0083D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0083D1FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1452528299-0
                                                                    • Opcode ID: 5d27fb3cfcefa9788a1d9cf6fe2e6e9de6c44034b7609b43befd9d64cfb834d1
                                                                    • Instruction ID: 9d222f5a5a7a8cfe6b962c008f22d5799584a1efb2aec942e64357d93d11c020
                                                                    • Opcode Fuzzy Hash: 5d27fb3cfcefa9788a1d9cf6fe2e6e9de6c44034b7609b43befd9d64cfb834d1
                                                                    • Instruction Fuzzy Hash: 2F711970604305CFC704EF68D495A6AB7E1FF89314F04496EF9969B3A2DB34E909CB92
                                                                    Function 011B4000 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 011B4011
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101978127.00000000011B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 011B1000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_11b1000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction ID: 6759847ef6f5443666ae1464b5f62c2e63b15d55a98a62e1cc9b3d072bbdde63
                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction Fuzzy Hash: EFE0BF7494410DDFDB00EFB4D5496DE7BB4EF04302F104161FD0192281D73099508A62

                                                                    Non-executed Functions

                                                                    Function 0085CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0085CB37
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CB95
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0085CBD6
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CC00
                                                                    • SendMessageW.USER32 ref: 0085CC29
                                                                    • _wcsncpy.LIBCMT ref: 0085CC95
                                                                    • GetKeyState.USER32(00000011), ref: 0085CCB6
                                                                    • GetKeyState.USER32(00000009), ref: 0085CCC3
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CCD9
                                                                    • GetKeyState.USER32(00000010), ref: 0085CCE3
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CD0C
                                                                    • SendMessageW.USER32 ref: 0085CD33
                                                                    • SendMessageW.USER32(?,00001030,?,0085B348), ref: 0085CE37
                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0085CE4D
                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0085CE60
                                                                    • SetCapture.USER32(?), ref: 0085CE69
                                                                    • ClientToScreen.USER32(?,?), ref: 0085CECE
                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0085CEDB
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0085CEF5
                                                                    • ReleaseCapture.USER32 ref: 0085CF00
                                                                    • GetCursorPos.USER32(?), ref: 0085CF3A
                                                                    • ScreenToClient.USER32(?,?), ref: 0085CF47
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0085CFA3
                                                                    • SendMessageW.USER32 ref: 0085CFD1
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D00E
                                                                    • SendMessageW.USER32 ref: 0085D03D
                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0085D05E
                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0085D06D
                                                                    • GetCursorPos.USER32(?), ref: 0085D08D
                                                                    • ScreenToClient.USER32(?,?), ref: 0085D09A
                                                                    • GetParent.USER32(?), ref: 0085D0BA
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D123
                                                                    • SendMessageW.USER32 ref: 0085D154
                                                                    • ClientToScreen.USER32(?,?), ref: 0085D1B2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0085D1E2
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D20C
                                                                    • SendMessageW.USER32 ref: 0085D22F
                                                                    • ClientToScreen.USER32(?,?), ref: 0085D281
                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0085D2B5
                                                                      • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0085D351
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                    • String ID: @GUI_DRAGID$F
                                                                    • API String ID: 3977979337-4164748364
                                                                    • Opcode ID: 231ee713eac0faf73046223c4a12c7d309347cf0af424b1d157ddefb8b56d6b5
                                                                    • Instruction ID: 37f7330f71d932fc2aef24ee46762a7af4fb4b1107a988832ed255f964eff13f
                                                                    • Opcode Fuzzy Hash: 231ee713eac0faf73046223c4a12c7d309347cf0af424b1d157ddefb8b56d6b5
                                                                    • Instruction Fuzzy Hash: F642AD74204341AFDB21DF28C848AAABBE5FF48322F140529FA95D72B1D731D859DF52
                                                                    Function 007E6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$_memset
                                                                    • String ID: 3c~$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_~
                                                                    • API String ID: 1357608183-3618157465
                                                                    • Opcode ID: c7c8df7d7413c1bae553b6c8c9210319e47e7e9aec7da8459854116f7657436c
                                                                    • Instruction ID: c88e12a3281e53066c39374b035d0c55c3f5153ff86c9c282e76b8a8a132bc68
                                                                    • Opcode Fuzzy Hash: c7c8df7d7413c1bae553b6c8c9210319e47e7e9aec7da8459854116f7657436c
                                                                    • Instruction Fuzzy Hash: 4F93B275A00229DFDB28CF58D891BADB7B1FF48310F25816AE945EB281E7749EC1CB50
                                                                    Function 007D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 007D48DF
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080D665
                                                                    • IsIconic.USER32(?), ref: 0080D66E
                                                                    • ShowWindow.USER32(?,00000009), ref: 0080D67B
                                                                    • SetForegroundWindow.USER32(?), ref: 0080D685
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080D69B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0080D6A2
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0080D6AE
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0080D6BF
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0080D6C7
                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0080D6CF
                                                                    • SetForegroundWindow.USER32(?), ref: 0080D6D2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D6E7
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0080D6F2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D6FC
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0080D701
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D70A
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0080D70F
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D719
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0080D71E
                                                                    • SetForegroundWindow.USER32(?), ref: 0080D721
                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0080D748
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: f78d54a2bd0fd69f3439e098a369be388ed46114057aa021bd242802e4668378
                                                                    • Instruction ID: c137567c80b8c5c78139e24f9481e34a42f713cba0249f927efc7ad217a75f4d
                                                                    • Opcode Fuzzy Hash: f78d54a2bd0fd69f3439e098a369be388ed46114057aa021bd242802e4668378
                                                                    • Instruction Fuzzy Hash: 03319271A40318BBEB202BA18C4AF7F3E6CFB44B51F104025FB05EB1D2D6B45900ABA0
                                                                    Function 00828310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                                      • Part of subcall function 008287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                                      • Part of subcall function 008287E1: GetLastError.KERNEL32 ref: 00828865
                                                                    • _memset.LIBCMT ref: 00828353
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008283A5
                                                                    • CloseHandle.KERNEL32(?), ref: 008283B6
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008283CD
                                                                    • GetProcessWindowStation.USER32 ref: 008283E6
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 008283F0
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0082840A
                                                                      • Part of subcall function 008281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828309), ref: 008281E0
                                                                      • Part of subcall function 008281CB: CloseHandle.KERNEL32(?,?,00828309), ref: 008281F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 2063423040-1027155976
                                                                    • Opcode ID: f1d9b3979c18caa738a1d83912d0fac8e51ce6cf5f7b471096ecd8a5175f68ae
                                                                    • Instruction ID: dba8c57185ae5201972c2caad1064bf6d39432ce6b7a402d88904087b871e70b
                                                                    • Opcode Fuzzy Hash: f1d9b3979c18caa738a1d83912d0fac8e51ce6cf5f7b471096ecd8a5175f68ae
                                                                    • Instruction Fuzzy Hash: C9817971902219EFDF119FA4ED49AEEBBB8FF08304F144169F910E2261DB358E94DB20
                                                                    Function 0083C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0083C78D
                                                                    • FindClose.KERNEL32(00000000), ref: 0083C7E1
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083C806
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083C81D
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0083C844
                                                                    • __swprintf.LIBCMT ref: 0083C890
                                                                    • __swprintf.LIBCMT ref: 0083C8D3
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • __swprintf.LIBCMT ref: 0083C927
                                                                      • Part of subcall function 007F3698: __woutput_l.LIBCMT ref: 007F36F1
                                                                    • __swprintf.LIBCMT ref: 0083C975
                                                                      • Part of subcall function 007F3698: __flsbuf.LIBCMT ref: 007F3713
                                                                      • Part of subcall function 007F3698: __flsbuf.LIBCMT ref: 007F372B
                                                                    • __swprintf.LIBCMT ref: 0083C9C4
                                                                    • __swprintf.LIBCMT ref: 0083CA13
                                                                    • __swprintf.LIBCMT ref: 0083CA62
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                    • API String ID: 3953360268-2428617273
                                                                    • Opcode ID: 7afc2af326edb23bc02c8595e8c6930f44ca1382e9fc8255e8bcb1cc5cc68460
                                                                    • Instruction ID: 7b2e4731b13cf2148f67fe347968f3452d7ea453e535658d71d9209189cfd29d
                                                                    • Opcode Fuzzy Hash: 7afc2af326edb23bc02c8595e8c6930f44ca1382e9fc8255e8bcb1cc5cc68460
                                                                    • Instruction Fuzzy Hash: B8A1FEB1504344EBC754EB94C889DAFB7FCFF94704F40492AF695D6251EA38EA08CB62
                                                                    Function 0083EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0083EFB6
                                                                    • _wcscmp.LIBCMT ref: 0083EFCB
                                                                    • _wcscmp.LIBCMT ref: 0083EFE2
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0083EFF4
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0083F00E
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0083F026
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F031
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0083F04D
                                                                    • _wcscmp.LIBCMT ref: 0083F074
                                                                    • _wcscmp.LIBCMT ref: 0083F08B
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083F09D
                                                                    • SetCurrentDirectoryW.KERNEL32(00888920), ref: 0083F0BB
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F0C5
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F0D2
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F0E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1803514871-438819550
                                                                    • Opcode ID: c48c346789ecf3afb5136dc2705b158aba2c5c085c920246fd8fc17c671849df
                                                                    • Instruction ID: 87006ca3c9dd2d08ea346164f78a38c1cf340468701aa45ffa5f132cf179aacb
                                                                    • Opcode Fuzzy Hash: c48c346789ecf3afb5136dc2705b158aba2c5c085c920246fd8fc17c671849df
                                                                    • Instruction Fuzzy Hash: 1E31EB72901608ABDB14ABB4DC58AEE77ACFF84361F100175FA14D31A2DB78DA44CF91
                                                                    Function 00850857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850953
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0085F910,00000000,?,00000000,?,?), ref: 008509C1
                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00850A09
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00850A92
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00850DB2
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00850DBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 536824911-966354055
                                                                    • Opcode ID: 6a412f558df633d37323bd7fbd158cae4b47fd5ab584ae73893fb8b96647618f
                                                                    • Instruction ID: 2dd7698b2a57bb11a9413bd80bb7e86a79f666c7ee444f7646feb41bbe0fc5e7
                                                                    • Opcode Fuzzy Hash: 6a412f558df633d37323bd7fbd158cae4b47fd5ab584ae73893fb8b96647618f
                                                                    • Instruction Fuzzy Hash: FE023575600601DFCB14EF28C859A2AB7F5FF89714F048959F99A9B3A2DB34EC05CB81
                                                                    Function 0083F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0083F113
                                                                    • _wcscmp.LIBCMT ref: 0083F128
                                                                    • _wcscmp.LIBCMT ref: 0083F13F
                                                                      • Part of subcall function 00834385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008343A0
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0083F16E
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F179
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0083F195
                                                                    • _wcscmp.LIBCMT ref: 0083F1BC
                                                                    • _wcscmp.LIBCMT ref: 0083F1D3
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083F1E5
                                                                    • SetCurrentDirectoryW.KERNEL32(00888920), ref: 0083F203
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F20D
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F21A
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F22C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 1824444939-438819550
                                                                    • Opcode ID: febd3aecd20a20282045e3b29d3c71d3f96f8ab35596c6c455a21510f5cde600
                                                                    • Instruction ID: 616ce81415e9b0a7d4db7d595de04c2a8a6a1a51cf50ce1daa69ccc98b6e4b92
                                                                    • Opcode Fuzzy Hash: febd3aecd20a20282045e3b29d3c71d3f96f8ab35596c6c455a21510f5cde600
                                                                    • Instruction Fuzzy Hash: F531A47690021DAADB10AB64EC59EEF77ACFF85361F100175FA10E32A2DB34DA45CAD4
                                                                    Function 0083A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0083A20F
                                                                    • __swprintf.LIBCMT ref: 0083A231
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0083A26E
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0083A293
                                                                    • _memset.LIBCMT ref: 0083A2B2
                                                                    • _wcsncpy.LIBCMT ref: 0083A2EE
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0083A323
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0083A32E
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0083A337
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0083A341
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 2733774712-3457252023
                                                                    • Opcode ID: 02f632aa0cf1ba391b061a4f351b900932846f5abcf75f8ff051d5038666b4e5
                                                                    • Instruction ID: a527baa65f7d92ce4dd0ea8c0308dd9823a3c206b4c0f9ebe280d74399af3eab
                                                                    • Opcode Fuzzy Hash: 02f632aa0cf1ba391b061a4f351b900932846f5abcf75f8ff051d5038666b4e5
                                                                    • Instruction Fuzzy Hash: 7D31D2B1900209ABDB21DFA0DC49FEB37BCFF89701F1041B6F608D6261EB7496448B65
                                                                    Function 00827CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00828202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0082821E
                                                                      • Part of subcall function 00828202: GetLastError.KERNEL32(?,00827CE2,?,?,?), ref: 00828228
                                                                      • Part of subcall function 00828202: GetProcessHeap.KERNEL32(00000008,?,?,00827CE2,?,?,?), ref: 00828237
                                                                      • Part of subcall function 00828202: HeapAlloc.KERNEL32(00000000,?,00827CE2,?,?,?), ref: 0082823E
                                                                      • Part of subcall function 00828202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00828255
                                                                      • Part of subcall function 0082829F: GetProcessHeap.KERNEL32(00000008,00827CF8,00000000,00000000,?,00827CF8,?), ref: 008282AB
                                                                      • Part of subcall function 0082829F: HeapAlloc.KERNEL32(00000000,?,00827CF8,?), ref: 008282B2
                                                                      • Part of subcall function 0082829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00827CF8,?), ref: 008282C3
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00827D13
                                                                    • _memset.LIBCMT ref: 00827D28
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00827D47
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00827D58
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00827D95
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00827DB1
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00827DCE
                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00827DDD
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00827DE4
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00827E05
                                                                    • CopySid.ADVAPI32(00000000), ref: 00827E0C
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00827E3D
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00827E63
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00827E77
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                    • String ID:
                                                                    • API String ID: 3996160137-0
                                                                    • Opcode ID: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
                                                                    • Instruction ID: 16158029208b765c815950d9313e075f275e9b699cfe05e1aaa58c802a69f629
                                                                    • Opcode Fuzzy Hash: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
                                                                    • Instruction Fuzzy Hash: D9618A74900629EFDF00DFA5EC84AEEBBB9FF04701F048169E911E72A1DB349A45CB60
                                                                    Function 007E66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3c~$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_~
                                                                    • API String ID: 0-3820626175
                                                                    • Opcode ID: 313b8a5d72cfbeea0e5ff818208b9998bb2af4afc2889185249d16c4510837fb
                                                                    • Instruction ID: fee7c67513490f2a8dfe87b84a9ac4182d002c7013cc69c5b6ba29701c238bb7
                                                                    • Opcode Fuzzy Hash: 313b8a5d72cfbeea0e5ff818208b9998bb2af4afc2889185249d16c4510837fb
                                                                    • Instruction Fuzzy Hash: AD7293B1E01269DBDF14CF59D8847AEB7B5FF58310F24816AE909EB290D7349E81CB90
                                                                    Function 0083001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00830097
                                                                    • SetKeyboardState.USER32(?), ref: 00830102
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00830122
                                                                    • GetKeyState.USER32(000000A0), ref: 00830139
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00830168
                                                                    • GetKeyState.USER32(000000A1), ref: 00830179
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 008301A5
                                                                    • GetKeyState.USER32(00000011), ref: 008301B3
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 008301DC
                                                                    • GetKeyState.USER32(00000012), ref: 008301EA
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00830213
                                                                    • GetKeyState.USER32(0000005B), ref: 00830221
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
                                                                    • Instruction ID: 410e542e7ade6d6f697ee9a8db9d49e861bfe00cdbecff1c3a2763062b07e135
                                                                    • Opcode Fuzzy Hash: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
                                                                    • Instruction Fuzzy Hash: E951CD2090478819FB35D7A488747AABFB4FF41380F084599D5C1965C3DAA49B8CCFE2
                                                                    Function 008503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008504AC
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0085054B
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008505E3
                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00850822
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0085082F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1240663315-0
                                                                    • Opcode ID: 6edff2502366c306a143002993d7345c2d13f05fddc79f2993726e0651022abd
                                                                    • Instruction ID: 13356155da0436155c61bffb0dc690d0b01c464bba3b283b4adc21e0454fb448
                                                                    • Opcode Fuzzy Hash: 6edff2502366c306a143002993d7345c2d13f05fddc79f2993726e0651022abd
                                                                    • Instruction Fuzzy Hash: F3E14C31604214EFCB14DF28C895D2ABBE4FF89715B04856DF94ADB2A2DB34E905CF92
                                                                    Function 00844164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: bbbdbafbdcf117d6c02203d373270266cfe31a81f38dee29179f4e3384027e44
                                                                    • Instruction ID: bb8bf19aff4a0b09f8ad637292cd98dc65b72f4f128109dc855e4a300783e532
                                                                    • Opcode Fuzzy Hash: bbbdbafbdcf117d6c02203d373270266cfe31a81f38dee29179f4e3384027e44
                                                                    • Instruction Fuzzy Hash: A22181752003149FDB11AF64EC09B6E7BA8FF14751F14802AFA46DB2A2DB78AC41CB55
                                                                    Function 008337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                                      • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 008338A3
                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0083394B
                                                                    • MoveFileW.KERNEL32(?,?), ref: 0083395E
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0083397B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083399D
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008339B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 4002782344-1173974218
                                                                    • Opcode ID: 473b2f92b24a2bb8a19eb4df9c27fe52d9bc7f74377d6a0ac3209f4c3bf6e4a1
                                                                    • Instruction ID: 7bb96a48e5a76f89d1bbf848978a08514cbb50b431e910e7ba9a2ec3e8cf8959
                                                                    • Opcode Fuzzy Hash: 473b2f92b24a2bb8a19eb4df9c27fe52d9bc7f74377d6a0ac3209f4c3bf6e4a1
                                                                    • Instruction Fuzzy Hash: 4851923180514CEACF05EBA4C9969EDB778FF51301F60406AE806B7291EF356F09CBA1
                                                                    Function 0083F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0083F440
                                                                    • Sleep.KERNEL32(0000000A), ref: 0083F470
                                                                    • _wcscmp.LIBCMT ref: 0083F484
                                                                    • _wcscmp.LIBCMT ref: 0083F49F
                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0083F53D
                                                                    • FindClose.KERNEL32(00000000), ref: 0083F553
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                    • String ID: *.*
                                                                    • API String ID: 713712311-438819550
                                                                    • Opcode ID: 01a97ab714b73e5768d7ea4378830ab8d57ac8cba41e32bce8c6cc63d6f1fbff
                                                                    • Instruction ID: 1ed3a47dedefb5ce9949166a2bd05836b44fb29a974eca99325993ee741a5969
                                                                    • Opcode Fuzzy Hash: 01a97ab714b73e5768d7ea4378830ab8d57ac8cba41e32bce8c6cc63d6f1fbff
                                                                    • Instruction Fuzzy Hash: 1D413971D0421A9FCF14EF68DC59AEEBBB8FF45310F144466E919E2292EB349A44CB90
                                                                    Function 007E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __itow__swprintf
                                                                    • String ID: 3c~$_~
                                                                    • API String ID: 674341424-657907094
                                                                    • Opcode ID: 3e4b2f31f1fe69141bc2ab4e97c85ad874ea124f5995a20b7dcd0b6912192d1a
                                                                    • Instruction ID: fe285daa37ba2536d71365d07f1c4d4ae4cb433dd568408d096bbf6cbdd03ca4
                                                                    • Opcode Fuzzy Hash: 3e4b2f31f1fe69141bc2ab4e97c85ad874ea124f5995a20b7dcd0b6912192d1a
                                                                    • Instruction Fuzzy Hash: 89229A716083809FC724DF14C885BAAB7E8FF89714F10491DF99A97391EB39E944CB92
                                                                    Function 007E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 5316c795fd70341258e59bf96639ee2c0dcd23d54c651cb4600fcca80b6bfa2d
                                                                    • Instruction ID: 7131b7a2b8f4aa98b62d3ac69d6820684a14c84e5b338bef3eabe5b1ab3688d1
                                                                    • Opcode Fuzzy Hash: 5316c795fd70341258e59bf96639ee2c0dcd23d54c651cb4600fcca80b6bfa2d
                                                                    • Instruction Fuzzy Hash: F5128A70A00619DFDF04DFA9D985AEEB7F5FF48304F10452AE846E7252EB3AA950CB50
                                                                    Function 00833B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                                      • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00833B89
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00833BD9
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00833BEA
                                                                    • FindClose.KERNEL32(00000000), ref: 00833C01
                                                                    • FindClose.KERNEL32(00000000), ref: 00833C0A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 2649000838-1173974218
                                                                    • Opcode ID: 9e5154d4e353f164ac7eaad2c4f1ff61e02db705678047e37586b58f7400a8d8
                                                                    • Instruction ID: 41ddb009c5e4e6eadc2f02037ed8ffa5b419fadb63987d201118ac2910122a1d
                                                                    • Opcode Fuzzy Hash: 9e5154d4e353f164ac7eaad2c4f1ff61e02db705678047e37586b58f7400a8d8
                                                                    • Instruction Fuzzy Hash: 2F316071008385DFC305EF64D8958AFB7B8BE95314F444D2EF4D592292EB29DA09CBA3
                                                                    Function 008351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                                      • Part of subcall function 008287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                                      • Part of subcall function 008287E1: GetLastError.KERNEL32 ref: 00828865
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 008351F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-194228
                                                                    • Opcode ID: 79c8a63a198f7ad35e3d21dd6050b7cb12f11f66838f93586886edb4de2a4aca
                                                                    • Instruction ID: 3097fdcae59fb5c2071ce8b7732b0105f14344ba73be50e6b83c7bb5d90595db
                                                                    • Opcode Fuzzy Hash: 79c8a63a198f7ad35e3d21dd6050b7cb12f11f66838f93586886edb4de2a4aca
                                                                    • Instruction Fuzzy Hash: 0C0149317927156BFB287278AC8BFBB72A8FB84345F240421FD23E30D2DA515C0086D1
                                                                    Function 00846283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 008462DC
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008462EB
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00846307
                                                                    • listen.WSOCK32(00000000,00000005), ref: 00846316
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00846330
                                                                    • closesocket.WSOCK32(00000000), ref: 00846344
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                    • String ID:
                                                                    • API String ID: 1279440585-0
                                                                    • Opcode ID: 68c8fccbfbfda40b9e9b983e726906ca414e73b8ad839753ff24a8ed496485e1
                                                                    • Instruction ID: 9c2cd2dadfd7970564f639dbc403598cc23837a159fec97180ee713acaa10ea3
                                                                    • Opcode Fuzzy Hash: 68c8fccbfbfda40b9e9b983e726906ca414e73b8ad839753ff24a8ed496485e1
                                                                    • Instruction Fuzzy Hash: 1321D0706002089FCB00EF68C849B6EB7B9FF49721F14416AEA16E73D2D774AC51CB52
                                                                    Function 007E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                                      • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                                    • _memmove.LIBCMT ref: 00820258
                                                                    • _memmove.LIBCMT ref: 0082036D
                                                                    • _memmove.LIBCMT ref: 00820414
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1300846289-0
                                                                    • Opcode ID: 4e6743d34e77be290c8c789ca9e1a6c2fafd93fed085aef966b13bd3a4e7e4c2
                                                                    • Instruction ID: a40c5570e58cc95bd8a96fb47445c2fd6d6d7bc09a14af1afc1aafa23a766ad3
                                                                    • Opcode Fuzzy Hash: 4e6743d34e77be290c8c789ca9e1a6c2fafd93fed085aef966b13bd3a4e7e4c2
                                                                    • Instruction Fuzzy Hash: 3C02B1B0A00219DBCF04DF69D985ABE7BB5FF48304F54806AE806DB356EB39D950CB91
                                                                    Function 007D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 007D19FA
                                                                    • GetSysColor.USER32(0000000F), ref: 007D1A4E
                                                                    • SetBkColor.GDI32(?,00000000), ref: 007D1A61
                                                                      • Part of subcall function 007D1290: DefDlgProcW.USER32(?,00000020,?), ref: 007D12D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ColorProc$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 3744519093-0
                                                                    • Opcode ID: a2727307c577ba6d2c750a3cf3c28ad7fbc00a8969c811d7d38fca2f6aaf2f08
                                                                    • Instruction ID: a33eb94aa784dbf0154e97bf81a5fb5d32506c112433cf81c3ea8d802c6b209a
                                                                    • Opcode Fuzzy Hash: a2727307c577ba6d2c750a3cf3c28ad7fbc00a8969c811d7d38fca2f6aaf2f08
                                                                    • Instruction Fuzzy Hash: F6A15BB1106594BEE624AB3C4C58D7F3A7DFF81342B94411BF502E63D6DA2C9D0197B2
                                                                    Function 0083BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0083BCE6
                                                                    • _wcscmp.LIBCMT ref: 0083BD16
                                                                    • _wcscmp.LIBCMT ref: 0083BD2B
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0083BD3C
                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0083BD6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                    • String ID:
                                                                    • API String ID: 2387731787-0
                                                                    • Opcode ID: 8098a4cee87bb0f138fa2797b0dd5f9ddd283a20b6b664f529bd89b58cc49e52
                                                                    • Instruction ID: 203aa7f2c3cafe86a8cd6a1c494f54b9eb6d3aeb5553bc573964662ec002b9db
                                                                    • Opcode Fuzzy Hash: 8098a4cee87bb0f138fa2797b0dd5f9ddd283a20b6b664f529bd89b58cc49e52
                                                                    • Instruction Fuzzy Hash: 875178B5604606DFD718DF28C491EAAB3E4FF89324F10465AEA56C73A1DB34ED04CB91
                                                                    Function 00846747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00847D8B: inet_addr.WSOCK32(00000000), ref: 00847DB6
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 0084679E
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008467C7
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00846800
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0084680D
                                                                    • closesocket.WSOCK32(00000000), ref: 00846821
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 99427753-0
                                                                    • Opcode ID: 29673c2e8d32bc8546165e910320831c990bbcabec5da0f56be0dbf5e96106ba
                                                                    • Instruction ID: 419acda106295212de63138a3859cc5cd1bd3a6e889341a42709d49c0afa87d3
                                                                    • Opcode Fuzzy Hash: 29673c2e8d32bc8546165e910320831c990bbcabec5da0f56be0dbf5e96106ba
                                                                    • Instruction Fuzzy Hash: EA41B675B00214AFDB50BF64888AF2E77B8EF49714F048559FA15AB3C2DA789D008792
                                                                    Function 00855376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: 6169090604a2eaa2c3d84bcccd18e2a532fa173fed8a5c500d6d06fea181db99
                                                                    • Instruction ID: e1f3d943e17c106bf7301c8f4d597fcadbc36f780854b4fc4ee4178320566386
                                                                    • Opcode Fuzzy Hash: 6169090604a2eaa2c3d84bcccd18e2a532fa173fed8a5c500d6d06fea181db99
                                                                    • Instruction Fuzzy Hash: 4D110431300A11AFDB216F26DC58AAE7BA8FF457A2B404029FD09D3342DB78DD0186A4
                                                                    Function 008280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008280C0
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008280CA
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008280D9
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008280E0
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008280F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
                                                                    • Instruction ID: 8b3afa89f7c2afdaac2b049baa081dd4cccf626b12b2f0e6b6ee8efa8fbd2de0
                                                                    • Opcode Fuzzy Hash: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
                                                                    • Instruction Fuzzy Hash: 30F0C230246314EFEB114FA4EC8CE6B3BACFF49756F440025FA05C3191CB649C55DA60
                                                                    Function 0083C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 0083C432
                                                                    • CoCreateInstance.OLE32(00862D6C,00000000,00000001,00862BDC,?), ref: 0083C44A
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • CoUninitialize.OLE32 ref: 0083C6B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                    • String ID: .lnk
                                                                    • API String ID: 2683427295-24824748
                                                                    • Opcode ID: 9b47dc8a5cf65768efdea195a967c6934446ea73a355848c1a03c6d16103bac3
                                                                    • Instruction ID: 4f24942ba72e729b391459edbf14679a14e6abd3bfb92aa0903684b688507828
                                                                    • Opcode Fuzzy Hash: 9b47dc8a5cf65768efdea195a967c6934446ea73a355848c1a03c6d16103bac3
                                                                    • Instruction Fuzzy Hash: DCA14B71204205AFD700EF54C885EABB7F8FF94354F00492EF195972A2EB75EA49CB62
                                                                    Function 007D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4AD0), ref: 007D4B45
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007D4B57
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                    • API String ID: 2574300362-192647395
                                                                    • Opcode ID: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
                                                                    • Instruction ID: 3f30d8a282393ac748c753fa405de18ade726921d9b9e5b18237bc3438854801
                                                                    • Opcode Fuzzy Hash: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
                                                                    • Instruction Fuzzy Hash: F7D01274A50713DFD7209F31D818B0676E4BF15392B11883B99D5D6251E678D480C655
                                                                    Function 0084EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0084EE3D
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0084EE4B
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0084EF0B
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0084EF1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                    • String ID:
                                                                    • API String ID: 2576544623-0
                                                                    • Opcode ID: 23a4581b6683572ebbe7787c165b09b09032a0748a209d3b68c1828867180d10
                                                                    • Instruction ID: 80cb0c9d21bc81f152ea9672c9c23cf1f09d32fa27d832d05ae3a82b826e8d65
                                                                    • Opcode Fuzzy Hash: 23a4581b6683572ebbe7787c165b09b09032a0748a209d3b68c1828867180d10
                                                                    • Instruction Fuzzy Hash: 22516A71504715ABD310EF24D885E6BB7F8FF98710F10482EF595D72A2EB74A908CB92
                                                                    Function 007DFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID:
                                                                    • API String ID: 3964851224-0
                                                                    • Opcode ID: c3a9db03740b72da1d38d2f7f00e34a786c31ffe783f040bbde91480278f860d
                                                                    • Instruction ID: 625a78a7f24ce3b87ef3298e1f3a77abb491ad00d9281196e0035c353a68f69d
                                                                    • Opcode Fuzzy Hash: c3a9db03740b72da1d38d2f7f00e34a786c31ffe783f040bbde91480278f860d
                                                                    • Instruction Fuzzy Hash: 0F924970608381CFD720DF15C484B6AB7E5FF89304F14896DE98A9B352D7B9E885CB92
                                                                    Function 0082E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0082E628
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: ($|
                                                                    • API String ID: 1659193697-1631851259
                                                                    • Opcode ID: 3ad4a9409c94d54ec5fa8422d5a4d5d315065b4b4dbad4801bc65bdc8efee9ee
                                                                    • Instruction ID: 15978b2baef86bc0ea55f02506695bcbb0124fe83f77974da88ef52dc2ab3e52
                                                                    • Opcode Fuzzy Hash: 3ad4a9409c94d54ec5fa8422d5a4d5d315065b4b4dbad4801bc65bdc8efee9ee
                                                                    • Instruction Fuzzy Hash: 2B3234B5A007159FDB28CF19D48096AB7F0FF58320B15C46EE89ADB3A1E770E981CB44
                                                                    Function 008422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0084180A,00000000), ref: 008423E1
                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00842418
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                    • String ID:
                                                                    • API String ID: 599397726-0
                                                                    • Opcode ID: d6ff5d13087a02a838d04dab4b689e55e026fb1a360789e05f3634d780415289
                                                                    • Instruction ID: 1d48f6cc0323ac0d47b3be598e6f2610988b6f5d0ba3ea9cc72a16f1228d0b7e
                                                                    • Opcode Fuzzy Hash: d6ff5d13087a02a838d04dab4b689e55e026fb1a360789e05f3634d780415289
                                                                    • Instruction Fuzzy Hash: A441F371A0830DFFEB10DE95DC85EBBB7BCFB40328F50406AF601E6251EA759E419664
                                                                    Function 0083B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0083B40B
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0083B465
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0083B4B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1682464887-0
                                                                    • Opcode ID: 5d14425ca4aef7eb86b8a11d2802572081fb21c060aa0b6bee936a9e22dd61d9
                                                                    • Instruction ID: 088ebe6a36821b3da2c92d87b3eb7096084dfeb05820723c81d624326d16f28b
                                                                    • Opcode Fuzzy Hash: 5d14425ca4aef7eb86b8a11d2802572081fb21c060aa0b6bee936a9e22dd61d9
                                                                    • Instruction Fuzzy Hash: D721A175A00208EFCB00EFA5D884AEDBBB8FF49310F0480AAE905EB352CB359915CB55
                                                                    Function 008287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                                      • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                                    • GetLastError.KERNEL32 ref: 00828865
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1922334811-0
                                                                    • Opcode ID: 0d09d0f04318bfbce0e5a0f2fc1dbb4afe4f87ae2c54c09e0f85e2120a57b540
                                                                    • Instruction ID: 3abb28481a1ee5a5e54d08289bb1392b988ba7627c2b60841599e385ec4c517a
                                                                    • Opcode Fuzzy Hash: 0d09d0f04318bfbce0e5a0f2fc1dbb4afe4f87ae2c54c09e0f85e2120a57b540
                                                                    • Instruction Fuzzy Hash: 5F1160B1514308EFEB18DF64EC89D6BB7A8FB44711B24852EE55597342EB34BC408B60
                                                                    Function 0082874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00828774
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0082878B
                                                                    • FreeSid.ADVAPI32(?), ref: 0082879B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
                                                                    • Instruction ID: c55e8fc5a62f57471dbd2daaefbacc0021b930f37f28f818b0022088cffb9625
                                                                    • Opcode Fuzzy Hash: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
                                                                    • Instruction Fuzzy Hash: 2FF0FF7595130DBFDF04DFF4DD89AAEB7BCFF08212F504469AA01E2182D7755A448B50
                                                                    Function 0083C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0083C6FB
                                                                    • FindClose.KERNEL32(00000000), ref: 0083C72B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: ec7d26c26406913205a09974e53384b250871979fd1355dd72374d8ce8630fd8
                                                                    • Instruction ID: a962fce750b71d95c0a73aa06280064979c55af9c042835802c4fcad7065bf27
                                                                    • Opcode Fuzzy Hash: ec7d26c26406913205a09974e53384b250871979fd1355dd72374d8ce8630fd8
                                                                    • Instruction Fuzzy Hash: 45115E726006049FDB10EF29D849A6AF7E9FF85725F00851EF9A9D73A1DB34A805CF81
                                                                    Function 0083A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00849468,?,0085FB84,?), ref: 0083A097
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00849468,?,0085FB84,?), ref: 0083A0A9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 7bc0adad4fee120dfb763cd868622cce93724e4bc080741785b6c7a173b306a6
                                                                    • Instruction ID: 83f4b16f5277acadbeabfcc86470da9bacdd83f095ea0b1fe9c26a18cfd15109
                                                                    • Opcode Fuzzy Hash: 7bc0adad4fee120dfb763cd868622cce93724e4bc080741785b6c7a173b306a6
                                                                    • Instruction Fuzzy Hash: B4F05E3510522DABDB25AFA4CC48FEA776DFF08361F004166B949D6281D6309940CBA1
                                                                    Function 008281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828309), ref: 008281E0
                                                                    • CloseHandle.KERNEL32(?,?,00828309), ref: 008281F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: fe337ad78c953f4aaaceadd9b576bf46e4b233b21319301b120b36a7d4ede8fe
                                                                    • Instruction ID: df39f48c04c7c0761cd1cf9c39e230e6d440f67342171c31e9fb6c5ba0d0ff68
                                                                    • Opcode Fuzzy Hash: fe337ad78c953f4aaaceadd9b576bf46e4b233b21319301b120b36a7d4ede8fe
                                                                    • Instruction Fuzzy Hash: 58E0BF71011610EFEB252B71EC09D7777A9FB04311B14882DB55584571DB655C91DB50
                                                                    Function 007FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,007F8D57,?,?,?,00000001), ref: 007FA15A
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007FA163
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
                                                                    • Instruction ID: d5150e27d5ccd370fa8ddbafc234acbbb1d62cca04eb856d9c2c2f097f885d44
                                                                    • Opcode Fuzzy Hash: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
                                                                    • Instruction Fuzzy Hash: D1B09231054308ABEA002F91ED09BC93F6AFB44AA3F404020F70D84272CB6654508A91
                                                                    Function 007DE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Variable must be of type 'Object'., xrefs: 00813E62
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable must be of type 'Object'.
                                                                    • API String ID: 0-109567571
                                                                    • Opcode ID: bcefb17e676199eefc0cd8746eb1167c71c05bf9c369fc2672db41b59ecca19f
                                                                    • Instruction ID: 92e6b58c86480b8e85b087bbf6106f2c961cdc660eeb264b2ab36f86f8bd62a8
                                                                    • Opcode Fuzzy Hash: bcefb17e676199eefc0cd8746eb1167c71c05bf9c369fc2672db41b59ecca19f
                                                                    • Instruction Fuzzy Hash: EAA29075A00209CFCB15EF58C480AADB7B6FF58314F68805AE906AF351D779ED82CB91
                                                                    Function 007FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
                                                                    • Instruction ID: 7901cac06646cda6767188c06a3de49a2778b625d8167a6aeca547c6a3aafe78
                                                                    • Opcode Fuzzy Hash: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
                                                                    • Instruction Fuzzy Hash: 1F321422D29F054DD7239634D832336A249BFB73D8F15E737E929B5AA6EF68C4834140
                                                                    Function 0080242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
                                                                    • Instruction ID: 3f5ff96d35ea4e64405a891c53c9eb6e00b7ec70c71f35c40dcdb45cc2f909c4
                                                                    • Opcode Fuzzy Hash: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
                                                                    • Instruction Fuzzy Hash: 7DB10120D2AF404DD32396398935336BA5CBFBB2C5F52E71BFC2674E62EB6285834541
                                                                    Function 00838889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __time64.LIBCMT ref: 0083889B
                                                                      • Part of subcall function 007F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00838F6E,00000000,?,?,?,?,0083911F,00000000,?), ref: 007F5213
                                                                      • Part of subcall function 007F520A: __aulldiv.LIBCMT ref: 007F5233
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                    • String ID:
                                                                    • API String ID: 2893107130-0
                                                                    • Opcode ID: bce358af6ff7a189aa3bc005d70cfa26ad72c88e16294cb093f618f268983fb5
                                                                    • Instruction ID: a9ceb57c30545748d830c20a9ef527f2608ebbb7754c90757651c5a4f1c9206a
                                                                    • Opcode Fuzzy Hash: bce358af6ff7a189aa3bc005d70cfa26ad72c88e16294cb093f618f268983fb5
                                                                    • Instruction Fuzzy Hash: 5D21DF32625610CBC729CF29D841A52B3E1FBA4310F298E2CE1F5CB2D0CA34A905CB94
                                                                    Function 00834C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00834C4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: mouse_event
                                                                    • String ID:
                                                                    • API String ID: 2434400541-0
                                                                    • Opcode ID: 679b7c8ff9ca7d2b5ca974cce6ac1676d6abe29f9ac84861c5535ff9bb442028
                                                                    • Instruction ID: 1543de08c02d33a747c6c92ccf73cb8035051ac0c81a2a65c1aad849d108aacd
                                                                    • Opcode Fuzzy Hash: 679b7c8ff9ca7d2b5ca974cce6ac1676d6abe29f9ac84861c5535ff9bb442028
                                                                    • Instruction Fuzzy Hash: 1DD05E9116530D38EC1C07209E0FF7A0108F3C0796FD0B1497201CA1C2ECA87C42A0B1
                                                                    Function 008287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00828389), ref: 008287D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LogonUser
                                                                    • String ID:
                                                                    • API String ID: 1244722697-0
                                                                    • Opcode ID: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
                                                                    • Instruction ID: 3dcfbe4cfcd81edcde4b846a815f2070857828a200d0d62e0f5263e10956677e
                                                                    • Opcode Fuzzy Hash: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
                                                                    • Instruction Fuzzy Hash: FAD05E32260A0EABEF018EA4DC01EAE3B69EB04B02F408111FE15C50A1C775D835AB60
                                                                    Function 007FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 007FA12A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
                                                                    • Instruction ID: c0e7cc62d71eb6d461770b464d8e9543eee92babb0937b3015ac005303dd6027
                                                                    • Opcode Fuzzy Hash: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
                                                                    • Instruction Fuzzy Hash: 19A0113000020CAB8A002F82EC08888BFAEEA002A2B008020FA0C802328B32A8208A80
                                                                    Function 007E8808 Relevance: .6, Instructions: 590COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b3660588643056d90d116caa83c2346d3674ac03fcec6ce024ce3f516ee0346f
                                                                    • Instruction ID: 9aa2bca27ba3717b8cb8d79f4485762ef271c6bfef5fb16950c09bd8c024ca67
                                                                    • Opcode Fuzzy Hash: b3660588643056d90d116caa83c2346d3674ac03fcec6ce024ce3f516ee0346f
                                                                    • Instruction Fuzzy Hash: 8B2247309059A6CBDF788A1AE89437C77A1FB09304F28C07AD94ACB592DB789DD1C743
                                                                    Function 007F21C5 Relevance: .3, Instructions: 345COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction ID: 3170e4a0e7e6accb5cab6bc82a6b945e0b5a6ec955b0bc1d5ae38e507cbf5335
                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction Fuzzy Hash: 7BC1B8322050974ADF2D463AC43403EFBB16EA27B135A075DD9B3CF6D5EE28C926D620
                                                                    Function 007F25FA Relevance: .3, Instructions: 341COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction ID: 2785c90c925a043928653eee5c639d1991e770c6392605c43f40ba59ea7c4c0f
                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction Fuzzy Hash: 80C1E6322050974ADF2D463AC43403EFBA16FA27B135A076DD5B3DF6D5EE28C926D620
                                                                    Function 007F1978 Relevance: .3, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction ID: d297d62befc72840bb8e940312cbbdf14f78c7a87dcda0b6a8d203c74959da2f
                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction Fuzzy Hash: 98C1A53230519789DF2D463AC43403EFBB16EA27B179A076DD5B3CB6C4EE28C925D620
                                                                    Function 00847806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 0084785B
                                                                    • DeleteObject.GDI32(00000000), ref: 0084786D
                                                                    • DestroyWindow.USER32 ref: 0084787B
                                                                    • GetDesktopWindow.USER32 ref: 00847895
                                                                    • GetWindowRect.USER32(00000000), ref: 0084789C
                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008479DD
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008479ED
                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847A35
                                                                    • GetClientRect.USER32(00000000,?), ref: 00847A41
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00847A7B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847A9D
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AB0
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847ABB
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00847AC4
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AD3
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00847ADC
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AE3
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00847AEE
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847B00
                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00862CAC,00000000), ref: 00847B16
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00847B26
                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00847B4C
                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00847B6B
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847B8D
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847D7A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: 54dda8b6233c34fdb5037e7b4c5ead7f87c2a9ce685ae7c9e4bae8be8b3ac03d
                                                                    • Instruction ID: 8deb4dc667128d71b582f98612fd4d58374e3ab33acd6facdd896a31eada243d
                                                                    • Opcode Fuzzy Hash: 54dda8b6233c34fdb5037e7b4c5ead7f87c2a9ce685ae7c9e4bae8be8b3ac03d
                                                                    • Instruction Fuzzy Hash: 82023B71900219EFDB14DFA4DD89EAE7BB9FB48311F148169FA15EB2A1C7389D01CB60
                                                                    Function 0085356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,0085F910), ref: 00853627
                                                                    • IsWindowVisible.USER32(?), ref: 0085364B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                    • API String ID: 4105515805-45149045
                                                                    • Opcode ID: d25f21b4ff0d40415d98de02dbdde2652012513e30846057d3dae979d1d3f6a7
                                                                    • Instruction ID: 5b6d642217372ae210f88330a833c0341e70ee4a196d1e6f92f71237ba32715e
                                                                    • Opcode Fuzzy Hash: d25f21b4ff0d40415d98de02dbdde2652012513e30846057d3dae979d1d3f6a7
                                                                    • Instruction Fuzzy Hash: AAD17970204705DBCA04EF14C559A6E7BE1FF94395F048469FD82DB3A2DB25EA4ECB82
                                                                    Function 0085A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0085A630
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0085A661
                                                                    • GetSysColor.USER32(0000000F), ref: 0085A66D
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0085A687
                                                                    • SelectObject.GDI32(?,00000000), ref: 0085A696
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0085A6C1
                                                                    • GetSysColor.USER32(00000010), ref: 0085A6C9
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0085A6D0
                                                                    • FrameRect.USER32(?,?,00000000), ref: 0085A6DF
                                                                    • DeleteObject.GDI32(00000000), ref: 0085A6E6
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0085A731
                                                                    • FillRect.USER32(?,?,00000000), ref: 0085A763
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0085A78E
                                                                      • Part of subcall function 0085A8CA: GetSysColor.USER32(00000012), ref: 0085A903
                                                                      • Part of subcall function 0085A8CA: SetTextColor.GDI32(?,?), ref: 0085A907
                                                                      • Part of subcall function 0085A8CA: GetSysColorBrush.USER32(0000000F), ref: 0085A91D
                                                                      • Part of subcall function 0085A8CA: GetSysColor.USER32(0000000F), ref: 0085A928
                                                                      • Part of subcall function 0085A8CA: GetSysColor.USER32(00000011), ref: 0085A945
                                                                      • Part of subcall function 0085A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085A953
                                                                      • Part of subcall function 0085A8CA: SelectObject.GDI32(?,00000000), ref: 0085A964
                                                                      • Part of subcall function 0085A8CA: SetBkColor.GDI32(?,00000000), ref: 0085A96D
                                                                      • Part of subcall function 0085A8CA: SelectObject.GDI32(?,?), ref: 0085A97A
                                                                      • Part of subcall function 0085A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0085A999
                                                                      • Part of subcall function 0085A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085A9B0
                                                                      • Part of subcall function 0085A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0085A9C5
                                                                      • Part of subcall function 0085A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085A9ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 3521893082-0
                                                                    • Opcode ID: 0d1a0d886789b8184932f2264db315c327965337ddfa063490b746787b9f8dd5
                                                                    • Instruction ID: 5ce28ceea1909f77e11fd79739945c1fb272ef9d86c9c945a8e7cf32ff9d6894
                                                                    • Opcode Fuzzy Hash: 0d1a0d886789b8184932f2264db315c327965337ddfa063490b746787b9f8dd5
                                                                    • Instruction Fuzzy Hash: 1F917D72008305EFCB119F64DC48A5B7BE9FB88322F144B29FAA2D61E2D735D944CB52
                                                                    Function 008474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000), ref: 008474DE
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084759D
                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008475DB
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008475ED
                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00847633
                                                                    • GetClientRect.USER32(00000000,?), ref: 0084763F
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00847683
                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00847692
                                                                    • GetStockObject.GDI32(00000011), ref: 008476A2
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 008476A6
                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008476B6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008476BF
                                                                    • DeleteDC.GDI32(00000000), ref: 008476C8
                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008476F4
                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0084770B
                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00847746
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0084775A
                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0084776B
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0084779B
                                                                    • GetStockObject.GDI32(00000011), ref: 008477A6
                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008477B1
                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008477BB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                    • API String ID: 2910397461-517079104
                                                                    • Opcode ID: 742c8b4f60bd4b7fa750abf500f79e3fa17a0e16c0481ef2b1b729e4aefe27fd
                                                                    • Instruction ID: 060bc7d535db0ad557264f1b0af1c5c19f2c38a4421bf9f7151a55c164eff539
                                                                    • Opcode Fuzzy Hash: 742c8b4f60bd4b7fa750abf500f79e3fa17a0e16c0481ef2b1b729e4aefe27fd
                                                                    • Instruction Fuzzy Hash: 7BA15CB1A40609BFEB149BA4DD4AFAE7BB9FB08711F044115FA15EB2E1D774AD00CB60
                                                                    Function 0083AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0083AD1E
                                                                    • GetDriveTypeW.KERNEL32(?,0085FAC0,?,\\.\,0085F910), ref: 0083ADFB
                                                                    • SetErrorMode.KERNEL32(00000000,0085FAC0,?,\\.\,0085F910), ref: 0083AF59
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: 08ed3cdf3558789c36ece46772ca1ed98c90be1a1f1258bd6710beb7860cf56f
                                                                    • Instruction ID: edb86ceef90d4fdbf7b0368464c7ef2749ba3d4102aec12b2da443c4fcf2d9d5
                                                                    • Opcode Fuzzy Hash: 08ed3cdf3558789c36ece46772ca1ed98c90be1a1f1258bd6710beb7860cf56f
                                                                    • Instruction Fuzzy Hash: 6E519DB4648209EB8B18EB14D982CBD73A1FFC8714FA04156E496E73D1DE399D01EB83
                                                                    Function 007D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                    • API String ID: 1038674560-86951937
                                                                    • Opcode ID: 409bcf407a855443c94ccadf99087e5472e4cc34baf17fefac074b08cc41e81d
                                                                    • Instruction ID: 4bcb088dd6c8ca6ff9a13af077b63376b16192c3916c80886f7725192128e06b
                                                                    • Opcode Fuzzy Hash: 409bcf407a855443c94ccadf99087e5472e4cc34baf17fefac074b08cc41e81d
                                                                    • Instruction Fuzzy Hash: BE81E9B1640219EACB20BA60DC56FBB3778FF15750F044026FD45AA3D6EB68D945C261
                                                                    Function 00859A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00859AD2
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00859B8B
                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00859BA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: 0
                                                                    • API String ID: 2326795674-4108050209
                                                                    • Opcode ID: 8f6de9cf3c9f9ac9b7ff1fd75ba9b89d541f0c2c2237062fdcb5e1824696d61e
                                                                    • Instruction ID: e36e382537a871ca4eb9312b07e5fe5c26ed0aa6c639089931f59d4d324c0f2e
                                                                    • Opcode Fuzzy Hash: 8f6de9cf3c9f9ac9b7ff1fd75ba9b89d541f0c2c2237062fdcb5e1824696d61e
                                                                    • Instruction Fuzzy Hash: 27028930104301EFEB25CF24C889BAABBE5FF49316F04852DF9D9D62A1D7799948CB52
                                                                    Function 0085A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000012), ref: 0085A903
                                                                    • SetTextColor.GDI32(?,?), ref: 0085A907
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0085A91D
                                                                    • GetSysColor.USER32(0000000F), ref: 0085A928
                                                                    • CreateSolidBrush.GDI32(?), ref: 0085A92D
                                                                    • GetSysColor.USER32(00000011), ref: 0085A945
                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085A953
                                                                    • SelectObject.GDI32(?,00000000), ref: 0085A964
                                                                    • SetBkColor.GDI32(?,00000000), ref: 0085A96D
                                                                    • SelectObject.GDI32(?,?), ref: 0085A97A
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0085A999
                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085A9B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0085A9C5
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085A9ED
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0085AA14
                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0085AA32
                                                                    • DrawFocusRect.USER32(?,?), ref: 0085AA3D
                                                                    • GetSysColor.USER32(00000011), ref: 0085AA4B
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0085AA53
                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0085AA67
                                                                    • SelectObject.GDI32(?,0085A5FA), ref: 0085AA7E
                                                                    • DeleteObject.GDI32(?), ref: 0085AA89
                                                                    • SelectObject.GDI32(?,?), ref: 0085AA8F
                                                                    • DeleteObject.GDI32(?), ref: 0085AA94
                                                                    • SetTextColor.GDI32(?,?), ref: 0085AA9A
                                                                    • SetBkColor.GDI32(?,?), ref: 0085AAA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 1996641542-0
                                                                    • Opcode ID: 8f08c52ee6f0fd659efe736a7b0351f0015ca1d4153a9502beaeb7775b2841f2
                                                                    • Instruction ID: 730d06516d9eb4e6827c546c460e05ca6b8122e3663a8d46227a7f29fad565eb
                                                                    • Opcode Fuzzy Hash: 8f08c52ee6f0fd659efe736a7b0351f0015ca1d4153a9502beaeb7775b2841f2
                                                                    • Instruction Fuzzy Hash: CE512D71900218EFDF119FA4DC48EAE7BB9FB08322F114625FA11AB2A2D7759940DF90
                                                                    Function 008589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00858AC1
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858AD2
                                                                    • CharNextW.USER32(0000014E), ref: 00858B01
                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00858B42
                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00858B58
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858B69
                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00858B86
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00858BD8
                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00858BEE
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00858C1F
                                                                    • _memset.LIBCMT ref: 00858C44
                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00858C8D
                                                                    • _memset.LIBCMT ref: 00858CEC
                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00858D16
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00858D6E
                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00858E1B
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00858E3D
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00858E87
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00858EB4
                                                                    • DrawMenuBar.USER32(?), ref: 00858EC3
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00858EEB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                    • String ID: 0
                                                                    • API String ID: 1073566785-4108050209
                                                                    • Opcode ID: 809f2b240fb7903e2db2a4247a726fd3f6b82ccb2795d61184b23fdad322ed3e
                                                                    • Instruction ID: e177743a2d1e9931239eb9bc7b5232befd1398e23189c0ff05e703b4904d0a8f
                                                                    • Opcode Fuzzy Hash: 809f2b240fb7903e2db2a4247a726fd3f6b82ccb2795d61184b23fdad322ed3e
                                                                    • Instruction Fuzzy Hash: 86E15E70900218EBDB219F54CC84EEE7BB9FF09711F10815AFE15EA291DB748A89DF61
                                                                    Function 0085488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 008549CA
                                                                    • GetDesktopWindow.USER32 ref: 008549DF
                                                                    • GetWindowRect.USER32(00000000), ref: 008549E6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00854A48
                                                                    • DestroyWindow.USER32(?), ref: 00854A74
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00854A9D
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00854ABB
                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00854AE1
                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00854AF6
                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00854B09
                                                                    • IsWindowVisible.USER32(?), ref: 00854B29
                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00854B44
                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00854B58
                                                                    • GetWindowRect.USER32(?,?), ref: 00854B70
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00854B96
                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00854BB0
                                                                    • CopyRect.USER32(?,?), ref: 00854BC7
                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00854C32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: bc45b385ac19da65e44d2b1ad216b730b58b9f26310f58629492068c1a41e5bc
                                                                    • Instruction ID: 21b004bcbe1811f635132b5ae86b2aa345c6e1fa6bb967c172e4a9beb60b1e6f
                                                                    • Opcode Fuzzy Hash: bc45b385ac19da65e44d2b1ad216b730b58b9f26310f58629492068c1a41e5bc
                                                                    • Instruction Fuzzy Hash: BAB19A70604350AFDB04DF64C849B6ABBE4FF88319F00891DF9999B2A1D774EC49CB56
                                                                    Function 0083449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008344AC
                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008344D2
                                                                    • _wcscpy.LIBCMT ref: 00834500
                                                                    • _wcscmp.LIBCMT ref: 0083450B
                                                                    • _wcscat.LIBCMT ref: 00834521
                                                                    • _wcsstr.LIBCMT ref: 0083452C
                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00834548
                                                                    • _wcscat.LIBCMT ref: 00834591
                                                                    • _wcscat.LIBCMT ref: 00834598
                                                                    • _wcsncpy.LIBCMT ref: 008345C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                    • API String ID: 699586101-1459072770
                                                                    • Opcode ID: 613ee01be9bcb8a04869c33cb0c630da3fb4d36b58aa31aa5ee09cf520dcacba
                                                                    • Instruction ID: a9e688153085b4049e90532e597d4d67caa4b97e1680a328acaf93741f67fea8
                                                                    • Opcode Fuzzy Hash: 613ee01be9bcb8a04869c33cb0c630da3fb4d36b58aa31aa5ee09cf520dcacba
                                                                    • Instruction Fuzzy Hash: E641D671A41208BBDB11BA748C0BEBF776CFF95710F500069FA05E6383EA6CA90186E5
                                                                    Function 007D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28BC
                                                                    • GetSystemMetrics.USER32(00000007), ref: 007D28C4
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28EF
                                                                    • GetSystemMetrics.USER32(00000008), ref: 007D28F7
                                                                    • GetSystemMetrics.USER32(00000004), ref: 007D291C
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D2939
                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D2949
                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D297C
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D2990
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 007D29AE
                                                                    • GetStockObject.GDI32(00000011), ref: 007D29CA
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 007D29D5
                                                                      • Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
                                                                      • Part of subcall function 007D2344: ScreenToClient.USER32(008957B0,?), ref: 007D2374
                                                                      • Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
                                                                      • Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7
                                                                    • SetTimer.USER32(00000000,00000000,00000028,007D1256), ref: 007D29FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: fd487ba126fd38b5d0f50d4d9a34fccab3a8c695c69f7fc134011629288dc556
                                                                    • Instruction ID: ec648d0fbe114a191c18b6c34333eed8666a3cab9ecd5abeed89c9697b31ec78
                                                                    • Opcode Fuzzy Hash: fd487ba126fd38b5d0f50d4d9a34fccab3a8c695c69f7fc134011629288dc556
                                                                    • Instruction Fuzzy Hash: 45B1707160060AEFDB15DFA8DC45BAE7BB4FB58311F10422AFA15E72D1DB78A842CB50
                                                                    Function 0082A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0082A47A
                                                                    • __swprintf.LIBCMT ref: 0082A51B
                                                                    • _wcscmp.LIBCMT ref: 0082A52E
                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0082A583
                                                                    • _wcscmp.LIBCMT ref: 0082A5BF
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0082A5F6
                                                                    • GetDlgCtrlID.USER32(?), ref: 0082A648
                                                                    • GetWindowRect.USER32(?,?), ref: 0082A67E
                                                                    • GetParent.USER32(?), ref: 0082A69C
                                                                    • ScreenToClient.USER32(00000000), ref: 0082A6A3
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0082A71D
                                                                    • _wcscmp.LIBCMT ref: 0082A731
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0082A757
                                                                    • _wcscmp.LIBCMT ref: 0082A76B
                                                                      • Part of subcall function 007F362C: _iswctype.LIBCMT ref: 007F3634
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                    • String ID: %s%u
                                                                    • API String ID: 3744389584-679674701
                                                                    • Opcode ID: 59482460bad1c0ad12cf958296b5852d4fda05a6448f8e36c88debffa30cde09
                                                                    • Instruction ID: 8313a1f324d348f1083478d7ab1d9d9f7fb307295873156adb17affc7ef39872
                                                                    • Opcode Fuzzy Hash: 59482460bad1c0ad12cf958296b5852d4fda05a6448f8e36c88debffa30cde09
                                                                    • Instruction Fuzzy Hash: 28A1F271204326EFDB18DF60D888FAAB7E8FF54304F008529F999D2191DB34E995CB92
                                                                    Function 0082AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0082AF18
                                                                    • _wcscmp.LIBCMT ref: 0082AF29
                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0082AF51
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0082AF6E
                                                                    • _wcscmp.LIBCMT ref: 0082AF8C
                                                                    • _wcsstr.LIBCMT ref: 0082AF9D
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0082AFD5
                                                                    • _wcscmp.LIBCMT ref: 0082AFE5
                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0082B00C
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0082B055
                                                                    • _wcscmp.LIBCMT ref: 0082B065
                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0082B08D
                                                                    • GetWindowRect.USER32(00000004,?), ref: 0082B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                    • String ID: @$ThumbnailClass
                                                                    • API String ID: 1788623398-1539354611
                                                                    • Opcode ID: f5940f6b239d0772ec6245bba06da60fb75da1baea94322a5189e680e70a3976
                                                                    • Instruction ID: 28ed31462df577b58cda2de59afee1d9fc467fc47a8af3a1155e1dc771e66d57
                                                                    • Opcode Fuzzy Hash: f5940f6b239d0772ec6245bba06da60fb75da1baea94322a5189e680e70a3976
                                                                    • Instruction Fuzzy Hash: 5381CE711083199BDB05DF14D985FAA7BE8FF84314F04846AFD85CA192DB38DD89CBA2
                                                                    Function 0082ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                    • API String ID: 1038674560-1810252412
                                                                    • Opcode ID: c301d8b310f91086e88c3f909c0af4e23b5550fabbddc51a69e4434c7bd35ccd
                                                                    • Instruction ID: 96c58bffa944697c29e48aedf590ad749f8e2990aac4ccbbf18dd1527474b96d
                                                                    • Opcode Fuzzy Hash: c301d8b310f91086e88c3f909c0af4e23b5550fabbddc51a69e4434c7bd35ccd
                                                                    • Instruction Fuzzy Hash: 5E319070548229EBDA1CFA64EE47EBE7774FF10750F70042AB821F12D1EA69AF44C652
                                                                    Function 00844FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00845013
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0084501E
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00845029
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00845034
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0084503F
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0084504A
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00845055
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00845060
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0084506B
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00845076
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00845081
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0084508C
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00845097
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 008450A2
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 008450AD
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 008450B8
                                                                    • GetCursorInfo.USER32(?), ref: 008450C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$Info
                                                                    • String ID:
                                                                    • API String ID: 2577412497-0
                                                                    • Opcode ID: e1c1848be457c8f9b166aa2b5b7ec21fa045713f8e9c3735a091442428ac4c37
                                                                    • Instruction ID: 997fe6e1eb9c921a81d3d544e311fc3293e142cc926b46427233681baff9b9c5
                                                                    • Opcode Fuzzy Hash: e1c1848be457c8f9b166aa2b5b7ec21fa045713f8e9c3735a091442428ac4c37
                                                                    • Instruction Fuzzy Hash: D831E1B1D4871DABDF109FB68C8996EBFF8FB08750F50452AA50DE7281DA78A5008E91
                                                                    Function 0085A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0085A259
                                                                    • DestroyWindow.USER32(?,?), ref: 0085A2D3
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0085A34D
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0085A36F
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A382
                                                                    • DestroyWindow.USER32(00000000), ref: 0085A3A4
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007D0000,00000000), ref: 0085A3DB
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A3F4
                                                                    • GetDesktopWindow.USER32 ref: 0085A40D
                                                                    • GetWindowRect.USER32(00000000), ref: 0085A414
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085A42C
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0085A444
                                                                      • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 1297703922-3619404913
                                                                    • Opcode ID: edb2cedfc79be1dcb20b7e7d9350bb84de48d06624f1aea9cd098876668641db
                                                                    • Instruction ID: c64be27598351ec0b6f97be045be8f5a8fa8bdb690cc66e43f5ad2b608a249fd
                                                                    • Opcode Fuzzy Hash: edb2cedfc79be1dcb20b7e7d9350bb84de48d06624f1aea9cd098876668641db
                                                                    • Instruction Fuzzy Hash: E471DC70140204AFD729DF28CC88FA67BE5FB88705F08062DF985D72A1D775E906CB52
                                                                    Function 0085C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0085C627
                                                                      • Part of subcall function 0085AB37: ClientToScreen.USER32(?,?), ref: 0085AB60
                                                                      • Part of subcall function 0085AB37: GetWindowRect.USER32(?,?), ref: 0085ABD6
                                                                      • Part of subcall function 0085AB37: PtInRect.USER32(?,?,0085C014), ref: 0085ABE6
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0085C690
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0085C69B
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0085C6BE
                                                                    • _wcscat.LIBCMT ref: 0085C6EE
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0085C705
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0085C71E
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0085C735
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0085C757
                                                                    • DragFinish.SHELL32(?), ref: 0085C75E
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0085C851
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 169749273-3440237614
                                                                    • Opcode ID: 70f5f4497745a76170c61cb5f453d329c9939ea3eff932f37906bedead146c54
                                                                    • Instruction ID: 5059c6125e5ffe664d2572dd06f31e1bff8898972f010ac07b95803cff4f243b
                                                                    • Opcode Fuzzy Hash: 70f5f4497745a76170c61cb5f453d329c9939ea3eff932f37906bedead146c54
                                                                    • Instruction Fuzzy Hash: CB615071108300AFC701EF54CC85DABBBF9FF99751F00092EF695962A1DB74A549CB52
                                                                    Function 00854392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00854424
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0085446F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 3974292440-4258414348
                                                                    • Opcode ID: 6f8ce909c4f039848a59da409c4f084a91511afac66766f2e4fff387ce28c543
                                                                    • Instruction ID: 78b2aee523b5f55cec890cee52b0c204873fdf7fd184015f8a3c5a7deec9ac79
                                                                    • Opcode Fuzzy Hash: 6f8ce909c4f039848a59da409c4f084a91511afac66766f2e4fff387ce28c543
                                                                    • Instruction Fuzzy Hash: 1E9189302007018BCB04EF20C455A6EB7E1FF95758F048869FD969B3A2DB34EC89CB82
                                                                    Function 0085B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0085B8B4
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008591C2), ref: 0085B910
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085B949
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0085B98C
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085B9C3
                                                                    • FreeLibrary.KERNEL32(?), ref: 0085B9CF
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085B9DF
                                                                    • DestroyIcon.USER32(?,?,?,?,?,008591C2), ref: 0085B9EE
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0085BA0B
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0085BA17
                                                                      • Part of subcall function 007F2EFD: __wcsicmp_l.LIBCMT ref: 007F2F86
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 1212759294-1154884017
                                                                    • Opcode ID: da93a75769ae833a071e5853b9891ba53c1440a47331bc4792beec92520b8f95
                                                                    • Instruction ID: d450bab3d9d7ba42ec894369385b4a19e2410c94a66d8ceeea4fd4da3363e977
                                                                    • Opcode Fuzzy Hash: da93a75769ae833a071e5853b9891ba53c1440a47331bc4792beec92520b8f95
                                                                    • Instruction Fuzzy Hash: 5061EF71900219FAEB14DF64CC4AFBE7BA8FB18722F104116FE15D61C1EB789994DBA0
                                                                    Function 0083DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 0083DCDC
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0083DCEC
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0083DCF8
                                                                    • __wsplitpath.LIBCMT ref: 0083DD56
                                                                    • _wcscat.LIBCMT ref: 0083DD6E
                                                                    • _wcscat.LIBCMT ref: 0083DD80
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DD95
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDA9
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDDB
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDFC
                                                                    • _wcscpy.LIBCMT ref: 0083DE08
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083DE47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                    • String ID: *.*
                                                                    • API String ID: 3566783562-438819550
                                                                    • Opcode ID: ba6c40120373025bbc47490353680291760ad0801f7a63589a18082732ca9ad0
                                                                    • Instruction ID: add47950bbf5ca028bfe803e354901080961dc252d454a198361ffb1c0c6b466
                                                                    • Opcode Fuzzy Hash: ba6c40120373025bbc47490353680291760ad0801f7a63589a18082732ca9ad0
                                                                    • Instruction Fuzzy Hash: 8E6147B25043459FCB10EF64D8449AEB3E8FF89314F04492EEA89D7351DB35EA45CB92
                                                                    Function 00839C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00839C7F
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00839CA0
                                                                    • __swprintf.LIBCMT ref: 00839CF9
                                                                    • __swprintf.LIBCMT ref: 00839D12
                                                                    • _wprintf.LIBCMT ref: 00839DB9
                                                                    • _wprintf.LIBCMT ref: 00839DD7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 311963372-3080491070
                                                                    • Opcode ID: 4304cef4a2a2d50470bbd8371c140676d403aebfecc1b62741d07923cf1a1165
                                                                    • Instruction ID: 61c3ce687b269889276efc3f56f67157c5e9ab20a33e876b432a4406389936fe
                                                                    • Opcode Fuzzy Hash: 4304cef4a2a2d50470bbd8371c140676d403aebfecc1b62741d07923cf1a1165
                                                                    • Instruction Fuzzy Hash: 27515C31900509EACB19FBE4DD4AEEEB779FF14300F500066F505B22A2EB792E58CB61
                                                                    Function 0083A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0083A3CB
                                                                    • GetDriveTypeW.KERNEL32 ref: 0083A418
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A460
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A497
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A4C5
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                    • API String ID: 2698844021-4113822522
                                                                    • Opcode ID: 9f442cf4815e7c3c7c698483b60c25f371edc69f92e9032abac5279681dda943
                                                                    • Instruction ID: 638b55c5f5aac107022b91110d6f95d6f928c49ca672115181830b3f28d40faf
                                                                    • Opcode Fuzzy Hash: 9f442cf4815e7c3c7c698483b60c25f371edc69f92e9032abac5279681dda943
                                                                    • Instruction Fuzzy Hash: 35510771104205DFC704EF24C99586AB7F4FF94718F50886EF89A973A2DB35AD09CB92
                                                                    Function 0082F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0080E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0082F8DF
                                                                    • LoadStringW.USER32(00000000,?,0080E029,00000001), ref: 0082F8E8
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • GetModuleHandleW.KERNEL32(00000000,00895310,?,00000FFF,?,?,0080E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0082F90A
                                                                    • LoadStringW.USER32(00000000,?,0080E029,00000001), ref: 0082F90D
                                                                    • __swprintf.LIBCMT ref: 0082F95D
                                                                    • __swprintf.LIBCMT ref: 0082F96E
                                                                    • _wprintf.LIBCMT ref: 0082FA17
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082FA2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 984253442-2268648507
                                                                    • Opcode ID: fd32df2a0f943841f37dc953aa91a71e5862c5edd872b073a7cf54c71dde69b9
                                                                    • Instruction ID: ae64d83e763dfb849720813f8aee850b154287850debac6713b4f0cebfbbc6d2
                                                                    • Opcode Fuzzy Hash: fd32df2a0f943841f37dc953aa91a71e5862c5edd872b073a7cf54c71dde69b9
                                                                    • Instruction Fuzzy Hash: B441207290411DEACF08FBE4DD5ADEE7778EF14300F500466B605B6292EA396F49CB61
                                                                    Function 0085BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00859207,?,?), ref: 0085BA56
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA6D
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA78
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA85
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0085BA8E
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA9D
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0085BAA6
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BAAD
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BABE
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00862CAC,?), ref: 0085BAD7
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0085BAE7
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0085BB0B
                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0085BB36
                                                                    • DeleteObject.GDI32(00000000), ref: 0085BB5E
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0085BB74
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: 8ea7ed4f128c7baa441b45ff529193b8eb3677396cbab5c472fb40c81c91508c
                                                                    • Instruction ID: 901f3093e09268782ecc2b265a93e8a939ffc03853c3637df1b34055f4e7a6eb
                                                                    • Opcode Fuzzy Hash: 8ea7ed4f128c7baa441b45ff529193b8eb3677396cbab5c472fb40c81c91508c
                                                                    • Instruction Fuzzy Hash: 8C411875601208EFDB119F65DC88EABBBB9FF89722F104068FA09D7261D7749D05CB60
                                                                    Function 0083D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __wsplitpath.LIBCMT ref: 0083DA10
                                                                    • _wcscat.LIBCMT ref: 0083DA28
                                                                    • _wcscat.LIBCMT ref: 0083DA3A
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DA4F
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DA63
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0083DA7B
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0083DA95
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DAA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                    • String ID: *.*
                                                                    • API String ID: 34673085-438819550
                                                                    • Opcode ID: 0f19306fe488e6516a6fa88fed48286e034ffcada488620ba09659919e3d0996
                                                                    • Instruction ID: fdabb7b9bf8f6b7e4749a9f417ff1ac9d479dba8df53cd96123acef3daa9cb63
                                                                    • Opcode Fuzzy Hash: 0f19306fe488e6516a6fa88fed48286e034ffcada488620ba09659919e3d0996
                                                                    • Instruction Fuzzy Hash: D081B2725043449FCB20EF64D844AAABBE8FFC9714F14882EF889C7251E734E945CB92
                                                                    Function 0085C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0085C1FC
                                                                    • GetFocus.USER32 ref: 0085C20C
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0085C217
                                                                    • _memset.LIBCMT ref: 0085C342
                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0085C36D
                                                                    • GetMenuItemCount.USER32(?), ref: 0085C38D
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0085C3A0
                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0085C3D4
                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0085C41C
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0085C454
                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0085C489
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1296962147-4108050209
                                                                    • Opcode ID: 5a32af93457b48c7ecf0c9d8ebd712c91ab68724f1e44977b0f61dccecd0cdf5
                                                                    • Instruction ID: bf74989911d5ec498ab936aac550e3f2b5ebe66c1594cc1333b59615a2476c3f
                                                                    • Opcode Fuzzy Hash: 5a32af93457b48c7ecf0c9d8ebd712c91ab68724f1e44977b0f61dccecd0cdf5
                                                                    • Instruction Fuzzy Hash: 66816A70208305AFD711DF14C894AAABBE4FB88716F00492EFA95D7292D770D909CF92
                                                                    Function 0084731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 0084738F
                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0084739B
                                                                    • CreateCompatibleDC.GDI32(?), ref: 008473A7
                                                                    • SelectObject.GDI32(00000000,?), ref: 008473B4
                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00847408
                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00847444
                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00847468
                                                                    • SelectObject.GDI32(00000006,?), ref: 00847470
                                                                    • DeleteObject.GDI32(?), ref: 00847479
                                                                    • DeleteDC.GDI32(00000006), ref: 00847480
                                                                    • ReleaseDC.USER32(00000000,?), ref: 0084748B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: b85254f2b033ce1fb8a468c5852a2db7a02f12e668cafa4be64ff7fecbcaaa5c
                                                                    • Instruction ID: c3168af3519423ef959bf75ef8ffc1b9db83e1aec2ee6dae062fd8852583fd7f
                                                                    • Opcode Fuzzy Hash: b85254f2b033ce1fb8a468c5852a2db7a02f12e668cafa4be64ff7fecbcaaa5c
                                                                    • Instruction Fuzzy Hash: 1F512775A04309EFCB15CFA8CC85EAEBBB9FF48310F148429FA5A97351C735A9408B50
                                                                    Function 007D6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007D6B0C,?,00008000), ref: 007F0973
                                                                      • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6BAD
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 007D6CFA
                                                                      • Part of subcall function 007D586D: _wcscpy.LIBCMT ref: 007D58A5
                                                                      • Part of subcall function 007F363D: _iswctype.LIBCMT ref: 007F3645
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                    • API String ID: 537147316-1018226102
                                                                    • Opcode ID: 90465ca26dd2b69a00be4d8a005e2eeff6efda3cf4f521e4ce35b6f5178f1b13
                                                                    • Instruction ID: e25ab262466182f29dc6277a63199e2a3884fbbd24aa3b707104a3e7a8819888
                                                                    • Opcode Fuzzy Hash: 90465ca26dd2b69a00be4d8a005e2eeff6efda3cf4f521e4ce35b6f5178f1b13
                                                                    • Instruction Fuzzy Hash: C2025671108340DFC724EF24C8859AFBBF5FF94314F14492EF59A972A2DA38A949CB52
                                                                    Function 00832D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00832D50
                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00832DDD
                                                                    • GetMenuItemCount.USER32(00895890), ref: 00832E66
                                                                    • DeleteMenu.USER32(00895890,00000005,00000000,000000F5,?,?), ref: 00832EF6
                                                                    • DeleteMenu.USER32(00895890,00000004,00000000), ref: 00832EFE
                                                                    • DeleteMenu.USER32(00895890,00000006,00000000), ref: 00832F06
                                                                    • DeleteMenu.USER32(00895890,00000003,00000000), ref: 00832F0E
                                                                    • GetMenuItemCount.USER32(00895890), ref: 00832F16
                                                                    • SetMenuItemInfoW.USER32(00895890,00000004,00000000,00000030), ref: 00832F4C
                                                                    • GetCursorPos.USER32(?), ref: 00832F56
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00832F5F
                                                                    • TrackPopupMenuEx.USER32(00895890,00000000,?,00000000,00000000,00000000), ref: 00832F72
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00832F7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 3993528054-0
                                                                    • Opcode ID: 4836b85b6e2aaa9e58564c9e2a998fd518cc1f3700463929efed10300281e5c4
                                                                    • Instruction ID: d11cb88f5f6a3320de574a6db29794485b7b13a33dc5aa420f2f3b44d468890b
                                                                    • Opcode Fuzzy Hash: 4836b85b6e2aaa9e58564c9e2a998fd518cc1f3700463929efed10300281e5c4
                                                                    • Instruction Fuzzy Hash: A771D370600209BBEB219F58DC46FAABF64FF84364F144216F625EA1E2C7756810DBD1
                                                                    Function 008277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    • _memset.LIBCMT ref: 0082786B
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008278A0
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008278BC
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008278D8
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00827902
                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0082792A
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00827935
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082793A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 1411258926-22481851
                                                                    • Opcode ID: 2b13204ebfe469ab6f69b14375865b7e09611dad9a9d3c877f20d54e68ccb212
                                                                    • Instruction ID: 4673edc061e75e7b4909a69ff4eef51fd826d1b06181a4bba51529b7157f90b3
                                                                    • Opcode Fuzzy Hash: 2b13204ebfe469ab6f69b14375865b7e09611dad9a9d3c877f20d54e68ccb212
                                                                    • Instruction Fuzzy Hash: C841F872814629EBCF15EBA4DC99DEEB778FF04310F04446AE915A32A1EB389D44CB90
                                                                    Function 00850E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 3964851224-909552448
                                                                    • Opcode ID: 61d8a5aca4b5e939451e462f454c35f474c89c49f257ec58fa009724a063cc78
                                                                    • Instruction ID: c410fd91e6d2be55d88b6240222f71f20ebaa9b36c9933b16e12748a55f8c70c
                                                                    • Opcode Fuzzy Hash: 61d8a5aca4b5e939451e462f454c35f474c89c49f257ec58fa009724a063cc78
                                                                    • Instruction Fuzzy Hash: 4641373110024ACBCF20EE50D96AAFE3764FF11305F584455FD959B392DB38A91ECBA1
                                                                    Function 0082F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0080E2A0,00000010,?,Bad directive syntax error,0085F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0082F7C2
                                                                    • LoadStringW.USER32(00000000,?,0080E2A0,00000010), ref: 0082F7C9
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    • _wprintf.LIBCMT ref: 0082F7FC
                                                                    • __swprintf.LIBCMT ref: 0082F81E
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0082F88D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 1506413516-4153970271
                                                                    • Opcode ID: 4a02f6ad105a93ecfa43936aacfa3d52319f946819d69c65acf57112aded8ce8
                                                                    • Instruction ID: 2ebfbf8cc3a523632ed94703a77c9c3215d942ce199cc1df1ad850a421d63ace
                                                                    • Opcode Fuzzy Hash: 4a02f6ad105a93ecfa43936aacfa3d52319f946819d69c65acf57112aded8ce8
                                                                    • Instruction Fuzzy Hash: A221613194021DEFCF15EF90CC5EEEE7779FF14301F040466B615A62A2EA399658DB50
                                                                    Function 008352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                      • Part of subcall function 007D7924: _memmove.LIBCMT ref: 007D79AD
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00835330
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00835346
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00835357
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00835369
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0083537A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: SendString$_memmove
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 2279737902-1007645807
                                                                    • Opcode ID: bbbed38a3a5ea10414bdae66b7677f60ab2344d9ac414c7322e27fd325278276
                                                                    • Instruction ID: 00d072ba9c768d5a14062422143daf6e7e614b5a15bd790a36646e5a55cf30c6
                                                                    • Opcode Fuzzy Hash: bbbed38a3a5ea10414bdae66b7677f60ab2344d9ac414c7322e27fd325278276
                                                                    • Instruction Fuzzy Hash: 48116021A90169BAD724B665CC5EDFF6BBCFBD6B44F80042AB415E22D1EEA41904C6A0
                                                                    Function 008346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 208665112-3771769585
                                                                    • Opcode ID: 1b2f0871370b2bf9facc16d1478ca1e41ad97facf0d6adce1be84193f8389de3
                                                                    • Instruction ID: 9a5736be219889f842ebbc13394bf0abbd7919e4647cafd9fc23ba75545470d3
                                                                    • Opcode Fuzzy Hash: 1b2f0871370b2bf9facc16d1478ca1e41ad97facf0d6adce1be84193f8389de3
                                                                    • Instruction Fuzzy Hash: 8B11E73150421CAFCB14BB349C4AEEA7BBCFF42712F0401B6F645D6292FF7999818A90
                                                                    Function 00834F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 00834F7A
                                                                      • Part of subcall function 007F049F: timeGetTime.WINMM(?,7694B400,007E0E7B), ref: 007F04A3
                                                                    • Sleep.KERNEL32(0000000A), ref: 00834FA6
                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00834FCA
                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00834FEC
                                                                    • SetActiveWindow.USER32 ref: 0083500B
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00835019
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00835038
                                                                    • Sleep.KERNEL32(000000FA), ref: 00835043
                                                                    • IsWindow.USER32 ref: 0083504F
                                                                    • EndDialog.USER32(00000000), ref: 00835060
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 7e2c222b302bb72b54be76a164b1eb5dac83f6439916b0f9ec82df2084e3a1f8
                                                                    • Instruction ID: b80e69da759c94d0f9b2aedbc0a2fad1ac366757affe60756d6874d15d5af0e7
                                                                    • Opcode Fuzzy Hash: 7e2c222b302bb72b54be76a164b1eb5dac83f6439916b0f9ec82df2084e3a1f8
                                                                    • Instruction Fuzzy Hash: EF219974304B05AFE7116F60EC89A263BA9FB96746F0D1025F201C21B2EB799D50D7E1
                                                                    Function 0083D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • CoInitialize.OLE32(00000000), ref: 0083D5EA
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0083D67D
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0083D691
                                                                    • CoCreateInstance.OLE32(00862D7C,00000000,00000001,00888C1C,?), ref: 0083D6DD
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0083D74C
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0083D7A4
                                                                    • _memset.LIBCMT ref: 0083D7E1
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0083D81D
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0083D840
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0083D847
                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0083D87E
                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0083D880
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                    • String ID:
                                                                    • API String ID: 1246142700-0
                                                                    • Opcode ID: f4d31d4a1e2ada1279cd99c175009d8e84a27fe74fbce10b69434e5032a46f5f
                                                                    • Instruction ID: 8345422844a735ab62540d0b515a583748e0190367339bbcbf94ae73f36832c3
                                                                    • Opcode Fuzzy Hash: f4d31d4a1e2ada1279cd99c175009d8e84a27fe74fbce10b69434e5032a46f5f
                                                                    • Instruction Fuzzy Hash: 2EB1EB75A00209EFDB04DFA4D889DAEBBB9FF88304F148469E919DB251DB34ED41CB90
                                                                    Function 0082C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 0082C283
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0082C295
                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0082C2F3
                                                                    • GetDlgItem.USER32(?,00000002), ref: 0082C2FE
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0082C310
                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0082C364
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0082C372
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0082C383
                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0082C3C6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0082C3D4
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0082C3F1
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0082C3FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
                                                                    • Instruction ID: 83fe1b88353929445f129e3ee6fc2a60b958020cf4e56d630eb7d81eaa88fcbb
                                                                    • Opcode Fuzzy Hash: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
                                                                    • Instruction Fuzzy Hash: AB514F71B00305AFDB18CFA9DD89AAEBBBAFB98311F14852DF615D7291D7709D408B10
                                                                    Function 007D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A
                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
                                                                    • KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0080BCA6
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BCD7
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BCEE
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BD0A
                                                                    • DeleteObject.GDI32(00000000), ref: 0080BD1C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: 68276ff32bbed259f20961cafc56bf9adfb4b7ea37d5cd512ced003fbdfc4d4c
                                                                    • Instruction ID: e8e662f69a69dd0d4172dcc00d2e632c658b1da381689c9d474be9d4ee00d09d
                                                                    • Opcode Fuzzy Hash: 68276ff32bbed259f20961cafc56bf9adfb4b7ea37d5cd512ced003fbdfc4d4c
                                                                    • Instruction Fuzzy Hash: 93618F31110B00DFDB36AF14DD48B2AB7F1FF54312F54852AE54297AB2C779A892DB50
                                                                    Function 007D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                                    • GetSysColor.USER32(0000000F), ref: 007D21D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: 968ed529c82fb07abc814db4a33c86cb655956e09d6b04fa4f132b4a6a46da9a
                                                                    • Instruction ID: 135c715bd872edfdfc5c555a82588868fe6bfab542b1d7946c584ee53f6fe53f
                                                                    • Opcode Fuzzy Hash: 968ed529c82fb07abc814db4a33c86cb655956e09d6b04fa4f132b4a6a46da9a
                                                                    • Instruction Fuzzy Hash: 7A417031104640DBDB265F28DC88BB93B65FB16331F194266FE658A2E7C7399C43DB21
                                                                    Function 0083A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,0085F910), ref: 0083A90B
                                                                    • GetDriveTypeW.KERNEL32(00000061,008889A0,00000061), ref: 0083A9D5
                                                                    • _wcscpy.LIBCMT ref: 0083A9FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2820617543-1000479233
                                                                    • Opcode ID: e534f7dc7d525c97d8a11f4ead546b853f4899f0f68048c9a7c6824c00c4dd88
                                                                    • Instruction ID: 71905554f7a8056d9d737999af81d70c6e83ff3fa9b85dca2576a33debd5b848
                                                                    • Opcode Fuzzy Hash: e534f7dc7d525c97d8a11f4ead546b853f4899f0f68048c9a7c6824c00c4dd88
                                                                    • Instruction Fuzzy Hash: F4518D31108301DBC708EF14C996A6EBBA5FF84744F50482EFA95A73A2DB359909CB93
                                                                    Function 007D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __i64tow__itow__swprintf
                                                                    • String ID: %.15g$0x%p$False$True
                                                                    • API String ID: 421087845-2263619337
                                                                    • Opcode ID: 977821818192b18517d1f79e3132e2d600d6272439911be626dab39a941e7a03
                                                                    • Instruction ID: 5d43f6c3ff926a3cfab3778281b6fc31cb54361410b77473df5e5e5bcff223e6
                                                                    • Opcode Fuzzy Hash: 977821818192b18517d1f79e3132e2d600d6272439911be626dab39a941e7a03
                                                                    • Instruction Fuzzy Hash: BC41B171600209EFEB24DF38DC46A7A73F8FF05700F2044AEE649D7392EA3999419B50
                                                                    Function 00857152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0085716A
                                                                    • CreateMenu.USER32 ref: 00857185
                                                                    • SetMenu.USER32(?,00000000), ref: 00857194
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857221
                                                                    • IsMenu.USER32(?), ref: 00857237
                                                                    • CreatePopupMenu.USER32 ref: 00857241
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0085726E
                                                                    • DrawMenuBar.USER32 ref: 00857276
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                    • String ID: 0$F
                                                                    • API String ID: 176399719-3044882817
                                                                    • Opcode ID: 1353c8c2042c4d7dc9e2d12887e4bc3150b8a2f0f70c6417c99c7a5284f3b1ff
                                                                    • Instruction ID: f0d0cb5b003281c445ac502e5065c9a3145c86bd569ce65a012e8b3061472a88
                                                                    • Opcode Fuzzy Hash: 1353c8c2042c4d7dc9e2d12887e4bc3150b8a2f0f70c6417c99c7a5284f3b1ff
                                                                    • Instruction Fuzzy Hash: 6C413674A01309EFDB20DFA4E984E9A7BB5FF48352F148029FE06A7361D731A914CB90
                                                                    Function 008574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0085755E
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00857565
                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00857578
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00857580
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0085758B
                                                                    • DeleteDC.GDI32(00000000), ref: 00857594
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0085759E
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008575B2
                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008575BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                    • String ID: static
                                                                    • API String ID: 2559357485-2160076837
                                                                    • Opcode ID: e06e1a7395bdb9f321265f9c083659d375c4a1402382004938685067a1f3bb58
                                                                    • Instruction ID: 215f18eaeecd220845face38784550c58ef2d1c12d403a8f3d88c09d5f67c3c9
                                                                    • Opcode Fuzzy Hash: e06e1a7395bdb9f321265f9c083659d375c4a1402382004938685067a1f3bb58
                                                                    • Instruction Fuzzy Hash: 9F317832104214BBDF129F64EC08FEB3BA9FF09362F104224FA15E21A1D735D815DBA4
                                                                    Function 007F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 007F6E3E
                                                                      • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                                    • __gmtime64_s.LIBCMT ref: 007F6ED7
                                                                    • __gmtime64_s.LIBCMT ref: 007F6F0D
                                                                    • __gmtime64_s.LIBCMT ref: 007F6F2A
                                                                    • __allrem.LIBCMT ref: 007F6F80
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F6F9C
                                                                    • __allrem.LIBCMT ref: 007F6FB3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F6FD1
                                                                    • __allrem.LIBCMT ref: 007F6FE8
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F7006
                                                                    • __invoke_watson.LIBCMT ref: 007F7077
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                    • String ID:
                                                                    • API String ID: 384356119-0
                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction ID: ffaa8ddeb7839884007ba40a874c4c0bbee2b30fa01c6e7e0240534cfaa190f8
                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction Fuzzy Hash: AC71B476A00B1BABD718AA68DC41B7AB7A8FF04724F144229F614D73C1EB78DA40C791
                                                                    Function 00832527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00832542
                                                                    • GetMenuItemInfoW.USER32(00895890,000000FF,00000000,00000030), ref: 008325A3
                                                                    • SetMenuItemInfoW.USER32(00895890,00000004,00000000,00000030), ref: 008325D9
                                                                    • Sleep.KERNEL32(000001F4), ref: 008325EB
                                                                    • GetMenuItemCount.USER32(?), ref: 0083262F
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0083264B
                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00832675
                                                                    • GetMenuItemID.USER32(?,?), ref: 008326BA
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00832700
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832714
                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832735
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                    • String ID:
                                                                    • API String ID: 4176008265-0
                                                                    • Opcode ID: 0e1ce4d46db35ee3a3126308af0fa6dde0cb168655d4abf830ce781c1c306ce7
                                                                    • Instruction ID: 6669a87de367bbf8032645cf01f8f183bbbe7d84e535a8c2f85cb329ac3229ae
                                                                    • Opcode Fuzzy Hash: 0e1ce4d46db35ee3a3126308af0fa6dde0cb168655d4abf830ce781c1c306ce7
                                                                    • Instruction Fuzzy Hash: BD618BB0900249AFDF11DFA8DC89DBE7BB9FB81308F144059E942E7251E735AE05DBA1
                                                                    Function 00856F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00856FA5
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00856FA8
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00856FCC
                                                                    • _memset.LIBCMT ref: 00856FDD
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00856FEF
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00857067
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 830647256-0
                                                                    • Opcode ID: e19e47ed134139b1efdd65c5f30b0208f82a6c49ff13145edaa21b399b3504d4
                                                                    • Instruction ID: ffa416d92269ed9b10af20328c1a9e828a5738b45327834be8bf831a3daea436
                                                                    • Opcode Fuzzy Hash: e19e47ed134139b1efdd65c5f30b0208f82a6c49ff13145edaa21b399b3504d4
                                                                    • Instruction Fuzzy Hash: ED615875900208AFDB11DFA8DC81EEE77F8FB08711F14416AFA14EB2A1D771AA45CB90
                                                                    Function 00826B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00826BBF
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00826C18
                                                                    • VariantInit.OLEAUT32(?), ref: 00826C2A
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00826C4A
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00826C9D
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00826CB1
                                                                    • VariantClear.OLEAUT32(?), ref: 00826CC6
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00826CD3
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00826CDC
                                                                    • VariantClear.OLEAUT32(?), ref: 00826CEE
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00826CF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: e46854489863b6ccbb0c0278d68ee1eeea3b737b8a4756170c86b48454522e6f
                                                                    • Instruction ID: ed37ee4f5c9c514204a6a8b3d5ab245f3c14c0f4615f36566ed5bb6dbe3baa2a
                                                                    • Opcode Fuzzy Hash: e46854489863b6ccbb0c0278d68ee1eeea3b737b8a4756170c86b48454522e6f
                                                                    • Instruction Fuzzy Hash: C2414275A00229DFCF00EF68D848DAEBBB9FF08355F008069EA55E7261DB34A955CB94
                                                                    Function 008483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • CoInitialize.OLE32 ref: 00848403
                                                                    • CoUninitialize.OLE32 ref: 0084840E
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00862BEC,?), ref: 0084846E
                                                                    • IIDFromString.OLE32(?,?), ref: 008484E1
                                                                    • VariantInit.OLEAUT32(?), ref: 0084857B
                                                                    • VariantClear.OLEAUT32(?), ref: 008485DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 834269672-1287834457
                                                                    • Opcode ID: d4795327024912754cac8061fd8df29e5f33410467c81b09e22a7ecc03e09b49
                                                                    • Instruction ID: 29d39db67b53f09ca510f2cb589c76c5e31ebd59c213778ec6d279e2d3ec242a
                                                                    • Opcode Fuzzy Hash: d4795327024912754cac8061fd8df29e5f33410467c81b09e22a7ecc03e09b49
                                                                    • Instruction Fuzzy Hash: AA61567060831AEFC710DF24C848A6EBBE8FF49754F00445AFA85DB291CB74E948CB96
                                                                    Function 00845732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00845793
                                                                    • inet_addr.WSOCK32(?), ref: 008457D8
                                                                    • gethostbyname.WSOCK32(?), ref: 008457E4
                                                                    • IcmpCreateFile.IPHLPAPI ref: 008457F2
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00845862
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00845878
                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008458ED
                                                                    • WSACleanup.WSOCK32 ref: 008458F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: 649cce4c3d5bd7a256c9f517758f635c1205ec154aeb30e88136dd9fb4d14d61
                                                                    • Instruction ID: 938e0fdbdd0b53a41b3259351285794db1f198ad07f4ac731a13bd181e86f815
                                                                    • Opcode Fuzzy Hash: 649cce4c3d5bd7a256c9f517758f635c1205ec154aeb30e88136dd9fb4d14d61
                                                                    • Instruction Fuzzy Hash: 76513871604704DFDB11AF24D849B2EBBE4FB48724F04492AFA56DB2A2DB74E900DB52
                                                                    Function 0083B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0083B4D0
                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0083B546
                                                                    • GetLastError.KERNEL32 ref: 0083B550
                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0083B5BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                    • API String ID: 4194297153-14809454
                                                                    • Opcode ID: f306679a139d4a3a5c3a74858183b72ddb5691b70ff804483e2e56f6285b7ec9
                                                                    • Instruction ID: 28cc53659a519e75564d6c8956cea61f3a0000439a3d1c5c7baa53c100ce8a88
                                                                    • Opcode Fuzzy Hash: f306679a139d4a3a5c3a74858183b72ddb5691b70ff804483e2e56f6285b7ec9
                                                                    • Instruction Fuzzy Hash: 913192B5A00209EFCB10EF68C849EADBBB4FF84315F504166E616D7391DB749A41CB91
                                                                    Function 00828F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00829014
                                                                    • GetDlgCtrlID.USER32 ref: 0082901F
                                                                    • GetParent.USER32 ref: 0082903B
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0082903E
                                                                    • GetDlgCtrlID.USER32(?), ref: 00829047
                                                                    • GetParent.USER32(?), ref: 00829063
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00829066
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: a65fc0e901578192fad30850dee38a1752c36cc59914c36f0b4ef58e7cd4d2e5
                                                                    • Instruction ID: d0e9324285a9655f2e6d19479825ef3075aa7c013c1681eafe23852635143bd4
                                                                    • Opcode Fuzzy Hash: a65fc0e901578192fad30850dee38a1752c36cc59914c36f0b4ef58e7cd4d2e5
                                                                    • Instruction Fuzzy Hash: 6321F870A00218BBDF04ABA4DC89EFEBBB5FF59310F100116F961972A2EB795855DB20
                                                                    Function 0082907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008290FD
                                                                    • GetDlgCtrlID.USER32 ref: 00829108
                                                                    • GetParent.USER32 ref: 00829124
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00829127
                                                                    • GetDlgCtrlID.USER32(?), ref: 00829130
                                                                    • GetParent.USER32(?), ref: 0082914C
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0082914F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: 68ea218545e5c96cc17f9d112b976e55ef9302a8868e0b41b6bbd42caa256363
                                                                    • Instruction ID: 9c7ea70b4243e675ec57a9225dc28296d746198ea57034711aca2c39f6d78740
                                                                    • Opcode Fuzzy Hash: 68ea218545e5c96cc17f9d112b976e55ef9302a8868e0b41b6bbd42caa256363
                                                                    • Instruction Fuzzy Hash: F921F874A00218BBDF04ABA4DC89EFEBBB4FF54300F100016F551D72A2EB795455DB20
                                                                    Function 00829163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32 ref: 0082916F
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00829184
                                                                    • _wcscmp.LIBCMT ref: 00829196
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00829211
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1704125052-3381328864
                                                                    • Opcode ID: 6e78c074890dac42a9184e4f61b1405b4c0882afff66003f583d6b069b0f8ae5
                                                                    • Instruction ID: 94ef18467d6b8773444711c96b9dc97768fe9255e2fe61a43c10ed2f944bee29
                                                                    • Opcode Fuzzy Hash: 6e78c074890dac42a9184e4f61b1405b4c0882afff66003f583d6b069b0f8ae5
                                                                    • Instruction Fuzzy Hash: 0011947624831BF9EA112664EC0EDA73B9CFB15720F300066FA30E55D2FE6D98A15694
                                                                    Function 008488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 008488D7
                                                                    • CoInitialize.OLE32(00000000), ref: 00848904
                                                                    • CoUninitialize.OLE32 ref: 0084890E
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00848A0E
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00848B3B
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00862C0C), ref: 00848B6F
                                                                    • CoGetObject.OLE32(?,00000000,00862C0C,?), ref: 00848B92
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00848BA5
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00848C25
                                                                    • VariantClear.OLEAUT32(?), ref: 00848C35
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2395222682-0
                                                                    • Opcode ID: e1aef05d4d476a109e6385f68618a0d012344a1a8f6400a23e6832e1af3eb98b
                                                                    • Instruction ID: 14a07fe9b949a9c3ea43352190afe8ad6000b6bbd41899b629592bab72f47290
                                                                    • Opcode Fuzzy Hash: e1aef05d4d476a109e6385f68618a0d012344a1a8f6400a23e6832e1af3eb98b
                                                                    • Instruction Fuzzy Hash: 90C1D1B1608309EFD700DF68C88492ABBE9FB89758F00496DF989DB251DB71ED05CB52
                                                                    Function 00837990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00837A6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafeVartype
                                                                    • String ID:
                                                                    • API String ID: 1725837607-0
                                                                    • Opcode ID: 3d49cab111306824bd19d965be2c0409e71840fbe3edc4122ee2398006ee3ce3
                                                                    • Instruction ID: 86481eef7af678deb5cfcb97b55693a782e9947b7185fad95b01a366444375f9
                                                                    • Opcode Fuzzy Hash: 3d49cab111306824bd19d965be2c0409e71840fbe3edc4122ee2398006ee3ce3
                                                                    • Instruction Fuzzy Hash: F4B160B190421A9FDB20DFA8C885BBEB7B4FF89325F144429EA01E7251D778E941CBD1
                                                                    Function 007DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007DFAA6
                                                                    • OleUninitialize.OLE32(?,00000000), ref: 007DFB45
                                                                    • UnregisterHotKey.USER32(?), ref: 007DFC9C
                                                                    • DestroyWindow.USER32(?), ref: 008145D6
                                                                    • FreeLibrary.KERNEL32(?), ref: 0081463B
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00814668
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: 498f93752a6401279f57661f8eaf21117c113bcd16f458552891b1a68308b246
                                                                    • Instruction ID: 4359d4a766e21994ecfb225798cb1992dd9fc55d479c4fcf4060f1ce62822b6d
                                                                    • Opcode Fuzzy Hash: 498f93752a6401279f57661f8eaf21117c113bcd16f458552891b1a68308b246
                                                                    • Instruction Fuzzy Hash: 06A16B30301216CFDB18EF14C599AA9F364FF15714F1442AEE90AAB362DB34AC56CF90
                                                                    Function 0082A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,0082A439), ref: 0082A377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 3555792229-1603158881
                                                                    • Opcode ID: de551adf051c2204c01cb524a236abf1fd145e67db29489cbacd50eaa02221a2
                                                                    • Instruction ID: 261816e404eb0d7b8f442b5b0651c50778395a500935ac2dad75c042858ebb09
                                                                    • Opcode Fuzzy Hash: de551adf051c2204c01cb524a236abf1fd145e67db29489cbacd50eaa02221a2
                                                                    • Instruction Fuzzy Hash: 69919F31600619EBCB0CEFA0D845BEEFB75FF04304F548119E95AE7241DB35A999CB91
                                                                    Function 007D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 007D2EAE
                                                                      • Part of subcall function 007D1DB3: GetClientRect.USER32(?,?), ref: 007D1DDC
                                                                      • Part of subcall function 007D1DB3: GetWindowRect.USER32(?,?), ref: 007D1E1D
                                                                      • Part of subcall function 007D1DB3: ScreenToClient.USER32(?,?), ref: 007D1E45
                                                                    • GetDC.USER32 ref: 0080CD32
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0080CD45
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0080CD53
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0080CD68
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0080CD70
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0080CDFB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: 8b3c33418e64b3457fb6b9f0c12db9baa9892ec116ca1d43733cf3e4709646de
                                                                    • Instruction ID: 3de9b03be62dd32de410546eab826f526bbef0a54491a821b6ef2c61f589ccae
                                                                    • Opcode Fuzzy Hash: 8b3c33418e64b3457fb6b9f0c12db9baa9892ec116ca1d43733cf3e4709646de
                                                                    • Instruction Fuzzy Hash: D571D031500209EFCF619F64CC88AAA7FB5FF58325F18437AED559A2A6D7348C42DB60
                                                                    Function 00841A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00841A50
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00841A7C
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00841ABE
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00841AD3
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00841AE0
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00841B10
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00841B57
                                                                      • Part of subcall function 00842483: GetLastError.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 00842498
                                                                      • Part of subcall function 00842483: SetEvent.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 008424AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                    • String ID:
                                                                    • API String ID: 2603140658-3916222277
                                                                    • Opcode ID: c63f129cdb816f057cdb753d4880b8d06641eda76b6e456fa21e1e2bfab3fcb0
                                                                    • Instruction ID: 17804d705054918664ca997ed62d7b06022854d8cd7c56a48ba1703eadcc170c
                                                                    • Opcode Fuzzy Hash: c63f129cdb816f057cdb753d4880b8d06641eda76b6e456fa21e1e2bfab3fcb0
                                                                    • Instruction Fuzzy Hash: 3F414CB150121CBFEF119F50CC89FBA7BADFB08355F00412AFA05DA141E7749E849BA5
                                                                    Function 00848C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0085F910), ref: 00848D28
                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0085F910), ref: 00848D5C
                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00848ED6
                                                                    • SysFreeString.OLEAUT32(?), ref: 00848F00
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                    • String ID:
                                                                    • API String ID: 560350794-0
                                                                    • Opcode ID: 82411a0656a0953d86fc066803d086f720e168692ab58f6d0de0d48be9b8d64c
                                                                    • Instruction ID: ef62f3cca152f49d197dc16b2ee56109ae952e2f67c41594238e1c44a051c80e
                                                                    • Opcode Fuzzy Hash: 82411a0656a0953d86fc066803d086f720e168692ab58f6d0de0d48be9b8d64c
                                                                    • Instruction Fuzzy Hash: EEF10671A00219EFDB14DF94C888EAEB7B9FF49315F108499FA06EB251DB31AE45CB50
                                                                    Function 0084F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0084F6B5
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084F848
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084F86C
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084F8AC
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084F8CE
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084FA4A
                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0084FA7C
                                                                    • CloseHandle.KERNEL32(?), ref: 0084FAAB
                                                                    • CloseHandle.KERNEL32(?), ref: 0084FB22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                    • String ID:
                                                                    • API String ID: 4090791747-0
                                                                    • Opcode ID: d41fc332f381d01d56c4ce23cdd050968dd2a03f383b8c29e99513470c1f52ac
                                                                    • Instruction ID: 28a430e68072f58a864a1502f1de115a71ed8531cf35ed10e07b1b7c4e8d9677
                                                                    • Opcode Fuzzy Hash: d41fc332f381d01d56c4ce23cdd050968dd2a03f383b8c29e99513470c1f52ac
                                                                    • Instruction Fuzzy Hash: 45E19B31604244DFC714EF24C885A6ABBE1FF89314F14846DFA998B3A2DB34EC41CB52
                                                                    Function 00834CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00833697,?), ref: 0083468B
                                                                      • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00833697,?), ref: 008346A4
                                                                      • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00834D40
                                                                    • _wcscmp.LIBCMT ref: 00834D5A
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00834D75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 793581249-0
                                                                    • Opcode ID: b05651b8e1053e4f430c475e04ddb03a21687696e012b38ef8fad38fa3a2f1a2
                                                                    • Instruction ID: 3732821a565fba9c8bb0f9cd980b678e0e8c0303b4558c402f4dfdb93808f8e9
                                                                    • Opcode Fuzzy Hash: b05651b8e1053e4f430c475e04ddb03a21687696e012b38ef8fad38fa3a2f1a2
                                                                    • Instruction Fuzzy Hash: 895131B21083459BC725DBA4D8859DFB3ECFF84350F50192EB689D3152EE34B588C7A6
                                                                    Function 00858645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008586FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: cc3e48fdcf3841d7c4d7e5a5c6c2a088f2310cc1ac6c4b135732671c3ac74fbe
                                                                    • Instruction ID: 22b263e85e8cdaf16b0b20b1f1ac8e4e887d74160dc99aabf1779cdf52b1c56e
                                                                    • Opcode Fuzzy Hash: cc3e48fdcf3841d7c4d7e5a5c6c2a088f2310cc1ac6c4b135732671c3ac74fbe
                                                                    • Instruction Fuzzy Hash: 9951A130500244FEEF209B298C89FAD3BA5FB19356F604127FE51F62A1CF75A988CB41
                                                                    Function 007D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0080C2F7
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0080C319
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0080C331
                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0080C34F
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0080C370
                                                                    • DestroyIcon.USER32(00000000), ref: 0080C37F
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0080C39C
                                                                    • DestroyIcon.USER32(?), ref: 0080C3AB
                                                                      • Part of subcall function 0085A4AF: DeleteObject.GDI32(00000000), ref: 0085A4E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                    • String ID:
                                                                    • API String ID: 2819616528-0
                                                                    • Opcode ID: 08942492b406b04a08feac23fa0fb7264c2f2efe7e3c1869b95c57ee99489703
                                                                    • Instruction ID: 8bbce19f3bf9ade855c69067b7847473cae5b92497c1f2f66b427986670c4f82
                                                                    • Opcode Fuzzy Hash: 08942492b406b04a08feac23fa0fb7264c2f2efe7e3c1869b95c57ee99489703
                                                                    • Instruction Fuzzy Hash: EC515870610205AFDB20DF64CC45BAA3BB5FB58311F10462AF902E73A1E7B4AD52DB60
                                                                    Function 0082966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0082A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A84C
                                                                      • Part of subcall function 0082A82C: GetCurrentThreadId.KERNEL32 ref: 0082A853
                                                                      • Part of subcall function 0082A82C: AttachThreadInput.USER32(00000000,?,00829683,?,00000001), ref: 0082A85A
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0082968E
                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008296AB
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008296AE
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008296B7
                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008296D5
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008296D8
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 008296E1
                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008296F8
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008296FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                    • String ID:
                                                                    • API String ID: 2014098862-0
                                                                    • Opcode ID: 91958b5524238a5765ee7e6402ac2f7b1e69f5bc27f079345682f9bc7019ffa9
                                                                    • Instruction ID: 4c0acec6e3a7f3e19452af57d42edb64adeb888235452d5fd1dce838343b1a2b
                                                                    • Opcode Fuzzy Hash: 91958b5524238a5765ee7e6402ac2f7b1e69f5bc27f079345682f9bc7019ffa9
                                                                    • Instruction Fuzzy Hash: DE11E1B1950618BFF6106F64EC89F6A3B6DFB4C752F100425F344AB0A1C9F25C50DAA4
                                                                    Function 00828921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0082853C,00000B00,?,?), ref: 0082892A
                                                                    • HeapAlloc.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 00828931
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0082853C,00000B00,?,?), ref: 00828946
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0082853C,00000B00,?,?), ref: 0082894E
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 00828951
                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0082853C,00000B00,?,?), ref: 00828961
                                                                    • GetCurrentProcess.KERNEL32(0082853C,00000000,?,0082853C,00000B00,?,?), ref: 00828969
                                                                    • DuplicateHandle.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 0082896C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00828992,00000000,00000000,00000000), ref: 00828986
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: 8501b8ff95cb0b935aee3b879608ff96fceaf4965d90e94bff2f8d7409a0a87b
                                                                    • Instruction ID: fcd391cf8d9127a1764ac62d741387bbebadea94bed1d362db53c82b15379519
                                                                    • Opcode Fuzzy Hash: 8501b8ff95cb0b935aee3b879608ff96fceaf4965d90e94bff2f8d7409a0a87b
                                                                    • Instruction Fuzzy Hash: 2C01ACB5280704FFE711ABA5DC49F6B3B6CFB89711F404421FB05DB191CA7498048A21
                                                                    Function 00849B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: 2f6be5ac5058e83239cc08b4b768ba0b88688f9d7a041478cd6a01d6655fb0bf
                                                                    • Instruction ID: ab3e154fe088d049a9f61d3a184e4c9a2aec7a9d92fe0310a9fa0f96378c2a6d
                                                                    • Opcode Fuzzy Hash: 2f6be5ac5058e83239cc08b4b768ba0b88688f9d7a041478cd6a01d6655fb0bf
                                                                    • Instruction Fuzzy Hash: 92C18071A0021E9BDF20DFA8D884BAFB7F5FB48314F158469E945EB281E770AD45CB90
                                                                    Function 00849113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$_memset
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2862541840-625585964
                                                                    • Opcode ID: 8f4a38753b37bcdde6e196d202625deff7eaaeaf18d05339068801109c142ddb
                                                                    • Instruction ID: 2813357c0b500ba367fa58672897ab177dcb8eb505e800830800517a41aa7eb3
                                                                    • Opcode Fuzzy Hash: 8f4a38753b37bcdde6e196d202625deff7eaaeaf18d05339068801109c142ddb
                                                                    • Instruction Fuzzy Hash: 76918871A00219EBDF34DFA5C848EAFBBB8FF86714F10815AE555EB280D7749905CBA0
                                                                    Function 0084975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0082710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?,?,00827455), ref: 00827127
                                                                      • Part of subcall function 0082710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827142
                                                                      • Part of subcall function 0082710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827150
                                                                      • Part of subcall function 0082710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?), ref: 00827160
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00849806
                                                                    • _memset.LIBCMT ref: 00849813
                                                                    • _memset.LIBCMT ref: 00849956
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00849982
                                                                    • CoTaskMemFree.OLE32(?), ref: 0084998D
                                                                    Strings
                                                                    • NULL Pointer assignment, xrefs: 008499DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 1300414916-2785691316
                                                                    • Opcode ID: 4250440a84dfa549473bee1884ec18ff176ba8bc34e0c8d53f68daa3746f5576
                                                                    • Instruction ID: e4dac816febbc885156ce53254c5d5f4ee3e2b02f595aad08d5b1502571708d2
                                                                    • Opcode Fuzzy Hash: 4250440a84dfa549473bee1884ec18ff176ba8bc34e0c8d53f68daa3746f5576
                                                                    • Instruction Fuzzy Hash: 97912671D0022DEBDB20DFA5DC45ADEBBB9FF08310F10416AE519A7281EB359A44CFA0
                                                                    Function 00856D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00856E24
                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00856E38
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00856E52
                                                                    • _wcscat.LIBCMT ref: 00856EAD
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00856EC4
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00856EF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcscat
                                                                    • String ID: SysListView32
                                                                    • API String ID: 307300125-78025650
                                                                    • Opcode ID: c9657129040e1069c4105e0e127409b7591ac86843225378e56fdd553f4164c4
                                                                    • Instruction ID: a0dceb88cfead64461c3a94676f3e05df7fbd3c9f2c966a9ec0c9d0a3df6f855
                                                                    • Opcode Fuzzy Hash: c9657129040e1069c4105e0e127409b7591ac86843225378e56fdd553f4164c4
                                                                    • Instruction Fuzzy Hash: E041A470A00348ABDB219FA4CC85BEE77F9FF08351F50046AFA54D7291E6769D98CB60
                                                                    Function 0084E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00833C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00833C7A
                                                                      • Part of subcall function 00833C55: Process32FirstW.KERNEL32(00000000,?), ref: 00833C88
                                                                      • Part of subcall function 00833C55: CloseHandle.KERNEL32(00000000), ref: 00833D52
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084E9A4
                                                                    • GetLastError.KERNEL32 ref: 0084E9B7
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084E9E6
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0084EA63
                                                                    • GetLastError.KERNEL32(00000000), ref: 0084EA6E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0084EAA3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: 3570fbf6a3bd9a3283e4c85f2940b6383aedb6135caa419bae8ea2fede493301
                                                                    • Instruction ID: e99a72d3c6d10014ff66a05b674787dea9e548a3004dd461bf8a73141d46cfd2
                                                                    • Opcode Fuzzy Hash: 3570fbf6a3bd9a3283e4c85f2940b6383aedb6135caa419bae8ea2fede493301
                                                                    • Instruction Fuzzy Hash: 3141A9302002149FDB11EF28CCA9F6EBBA5FF54714F048459FA029B3D2DB78A844CB92
                                                                    Function 00832F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00833033
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 35b07f952a68a89ca90cc5d737406f7a2500a13055504a818b558eff135497c0
                                                                    • Instruction ID: 5c036c511b16a1882994b1170fd997c067dbbca0c30125bb5bbe44b0706ae081
                                                                    • Opcode Fuzzy Hash: 35b07f952a68a89ca90cc5d737406f7a2500a13055504a818b558eff135497c0
                                                                    • Instruction Fuzzy Hash: A7110831248B4AFAEB289B54DC96C6B679CFF55324F60002AFA10E6282DB685F4056E4
                                                                    Function 008342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00834312
                                                                    • LoadStringW.USER32(00000000), ref: 00834319
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0083432F
                                                                    • LoadStringW.USER32(00000000), ref: 00834336
                                                                    • _wprintf.LIBCMT ref: 0083435C
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0083437A
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00834357
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 3648134473-3128320259
                                                                    • Opcode ID: 523517b328a8e888c1ecc346f21b7cffbfb9f4180fa78859167d28992b927444
                                                                    • Instruction ID: aadc1ff02ae0f92a012c0dc8d091833b6d509d965a5b4df0c7441ae74babc5a5
                                                                    • Opcode Fuzzy Hash: 523517b328a8e888c1ecc346f21b7cffbfb9f4180fa78859167d28992b927444
                                                                    • Instruction Fuzzy Hash: 0C014FF2940308BFE711A7A0DD89EEB776CFB08302F4005A1BB45E2152EA786E854B70
                                                                    Function 0085D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0085D47C
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0085D49C
                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085D6D7
                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085D6F5
                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085D716
                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0085D735
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0085D75A
                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0085D77D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                    • String ID:
                                                                    • API String ID: 1211466189-0
                                                                    • Opcode ID: 78b169f3cecbf84670d657911e43a92921e81f531f11bc8fc5ee82b30d32cf62
                                                                    • Instruction ID: 9cbc63e3ee634d10343fa9bda4641ebfbb33debf2398081c123ef432ab58aeeb
                                                                    • Opcode Fuzzy Hash: 78b169f3cecbf84670d657911e43a92921e81f531f11bc8fc5ee82b30d32cf62
                                                                    • Instruction Fuzzy Hash: 01B16975600219EFDF24CF68C9857AA7BF1FF08712F088069ED48DA295E734A959CB90
                                                                    Function 007D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 007D2ACF
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 007D2B17
                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 0080C21A
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 0080C286
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: 95956d6fac2905c9308a521e77abb3c11f5b6ffe4b5ff1b1c770c2de88e205d2
                                                                    • Instruction ID: 44cadc695920982919f35b62c6bfe8644efadbf23a64dbcac730b801a98968fe
                                                                    • Opcode Fuzzy Hash: 95956d6fac2905c9308a521e77abb3c11f5b6ffe4b5ff1b1c770c2de88e205d2
                                                                    • Instruction Fuzzy Hash: 5541B730704780AACB759B288C88B6B7BB2FBE5311F58C51BE546867A3C67D9843D711
                                                                    Function 008370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 008370DD
                                                                      • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                                      • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00837114
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00837130
                                                                    • _memmove.LIBCMT ref: 0083717E
                                                                    • _memmove.LIBCMT ref: 0083719B
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 008371AA
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008371BF
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 008371DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 256516436-0
                                                                    • Opcode ID: b3ef39f501217b7558247ef5eef0623a73f068eaa9d77edda0436474c0d000c7
                                                                    • Instruction ID: 4ca47a8b173353b6790557af892bff023d7e4bf5dc45517df21680b76f9c3f90
                                                                    • Opcode Fuzzy Hash: b3ef39f501217b7558247ef5eef0623a73f068eaa9d77edda0436474c0d000c7
                                                                    • Instruction Fuzzy Hash: C8315E76900209EBCF10EFA4DC899AEBB78FF45711F1441A5EA04EB356DB74DA14CBA0
                                                                    Function 008561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 008561EB
                                                                    • GetDC.USER32(00000000), ref: 008561F3
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008561FE
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0085620A
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00856246
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00856257
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0085902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00856291
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008562B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: 1584791b9945e6542874508589e35ea5dab10d8507bb590be910bb7fd7140c51
                                                                    • Instruction ID: 2e2dd0bc44ee8f109036815aad7fa33b18370f6296973d70f756de69da35284c
                                                                    • Opcode Fuzzy Hash: 1584791b9945e6542874508589e35ea5dab10d8507bb590be910bb7fd7140c51
                                                                    • Instruction Fuzzy Hash: CF315C72101610BFEB118F508C8AFAB3BA9FF59766F044065FE08DA192D6799851CB60
                                                                    Function 0082BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 8606b70c915a0f17536d2d3d674ea89e97a901337771c37c31ad6499e53c34c6
                                                                    • Instruction ID: ed1bd4ce5002ee95441bf5594e5550ddd9066c80a0a696298abb5d1b672d8121
                                                                    • Opcode Fuzzy Hash: 8606b70c915a0f17536d2d3d674ea89e97a901337771c37c31ad6499e53c34c6
                                                                    • Instruction Fuzzy Hash: 6C21A46160266EFBE6046611BD42FBB775DFF60368F084020FE04D6B87EB68DE5181A1
                                                                    Function 0083EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                      • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                                    • _wcstok.LIBCMT ref: 0083EC94
                                                                    • _wcscpy.LIBCMT ref: 0083ED23
                                                                    • _memset.LIBCMT ref: 0083ED56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                    • String ID: X
                                                                    • API String ID: 774024439-3081909835
                                                                    • Opcode ID: 3154071be02d475c2c306f27727241a4be62de22bd971b7b467a9de18d503857
                                                                    • Instruction ID: 3d5ac982735b93d83dd7762831b48da73402253c4abbc812ffa09a4ef5d4b9d3
                                                                    • Opcode Fuzzy Hash: 3154071be02d475c2c306f27727241a4be62de22bd971b7b467a9de18d503857
                                                                    • Instruction Fuzzy Hash: F8C13971508644DFC754EF28C889A6AB7F4FF85310F10492EF9999B3A2DB74E845CB82
                                                                    Function 00846B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00846C00
                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00846C21
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00846C34
                                                                    • htons.WSOCK32(?), ref: 00846CEA
                                                                    • inet_ntoa.WSOCK32(?), ref: 00846CA7
                                                                      • Part of subcall function 0082A7E9: _strlen.LIBCMT ref: 0082A7F3
                                                                      • Part of subcall function 0082A7E9: _memmove.LIBCMT ref: 0082A815
                                                                    • _strlen.LIBCMT ref: 00846D44
                                                                    • _memmove.LIBCMT ref: 00846DAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 3619996494-0
                                                                    • Opcode ID: dc2f8c797e14620d03c999fa8648586992d1322937e317bb9f8721ccc69209dc
                                                                    • Instruction ID: 110d6035e5ca9a740af0921eb36ccda9bd4b30d26f0a73d72080abb5fe50bb69
                                                                    • Opcode Fuzzy Hash: dc2f8c797e14620d03c999fa8648586992d1322937e317bb9f8721ccc69209dc
                                                                    • Instruction Fuzzy Hash: BE81D071604304ABC710EB28CC86F6AB7B8FF85724F14491AF655DB292EB75AD04CB92
                                                                    Function 007D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8fba3b1aedbda91535846d447114127a06d2a03bf7019f1ea642d0a12cb1226b
                                                                    • Instruction ID: e56858c1725473b70a9c7b4e2939d3bab8b4847bb072de227b9886a0042a9e01
                                                                    • Opcode Fuzzy Hash: 8fba3b1aedbda91535846d447114127a06d2a03bf7019f1ea642d0a12cb1226b
                                                                    • Instruction Fuzzy Hash: C5716930900209FFCB05DF98CD48ABEBB79FF85314F54815AF915AB291C738AA51CBA0
                                                                    Function 0085B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(01146C50), ref: 0085B3EB
                                                                    • IsWindowEnabled.USER32(01146C50), ref: 0085B3F7
                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0085B4DB
                                                                    • SendMessageW.USER32(01146C50,000000B0,?,?), ref: 0085B512
                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0085B54F
                                                                    • GetWindowLongW.USER32(01146C50,000000EC), ref: 0085B571
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0085B589
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                    • String ID:
                                                                    • API String ID: 4072528602-0
                                                                    • Opcode ID: 045ae51fd874955e789433018b42149d9b37f52a09e2bba66908a4e9b6cc333b
                                                                    • Instruction ID: e0577a8161e5c102466c09b62c91e3b950230394ee58f8b29245c3107b09e5d3
                                                                    • Opcode Fuzzy Hash: 045ae51fd874955e789433018b42149d9b37f52a09e2bba66908a4e9b6cc333b
                                                                    • Instruction Fuzzy Hash: 18718C34600604AFDF319F94C894FBABBA9FF69302F144069EE45E73A2C731A949CB54
                                                                    Function 0084F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0084F448
                                                                    • _memset.LIBCMT ref: 0084F511
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0084F556
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                      • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                                    • GetProcessId.KERNEL32(00000000), ref: 0084F5CD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0084F5FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                    • String ID: @
                                                                    • API String ID: 3522835683-2766056989
                                                                    • Opcode ID: 0da296febc9068d23a2de32168c715bae062babf3d74c4dd75b9c21ed3166f05
                                                                    • Instruction ID: aaddb56383ecd5216c81e1a74da9ad4154932e74a20e0f1cab9bf4afd734ac5a
                                                                    • Opcode Fuzzy Hash: 0da296febc9068d23a2de32168c715bae062babf3d74c4dd75b9c21ed3166f05
                                                                    • Instruction Fuzzy Hash: AE61AD75A00619DFCB04EF68C4859AEBBF5FF48310F15806EEA59AB352CB34AD41CB94
                                                                    Function 00830F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00830F8C
                                                                    • GetKeyboardState.USER32(?), ref: 00830FA1
                                                                    • SetKeyboardState.USER32(?), ref: 00831002
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00831030
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0083104F
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00831095
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008310B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
                                                                    • Instruction ID: d2609fd02a5bc4475d070c26291d61e1129fb39282fb98b14ae51221677c4d26
                                                                    • Opcode Fuzzy Hash: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
                                                                    • Instruction Fuzzy Hash: F551E6A0504BD53DFF3642348C29BBABEA9BB86B04F088589E1D5C58D3C6D9DCC4D791
                                                                    Function 00830D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 00830DA5
                                                                    • GetKeyboardState.USER32(?), ref: 00830DBA
                                                                    • SetKeyboardState.USER32(?), ref: 00830E1B
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00830E47
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00830E64
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00830EA8
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00830EC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
                                                                    • Instruction ID: 7834f7191bedfac4a1798d186701d1fe297abee0fc66fc29487b38ec4e7f1b34
                                                                    • Opcode Fuzzy Hash: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
                                                                    • Instruction Fuzzy Hash: 1951E6A06087D53DFB3283748C65B7A7EE9FB86300F088989E1D4C64C2D795AC94DB91
                                                                    Function 008355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcsncpy$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 2945705084-0
                                                                    • Opcode ID: 89baeda2ab8a4e237d580940f87490ee495a16523d692222b25df2a4ca8581a1
                                                                    • Instruction ID: cb9a0310724f7e7b78caea99d8c9e3e4291430e6c0fc8780338568cdfd65d64c
                                                                    • Opcode Fuzzy Hash: 89baeda2ab8a4e237d580940f87490ee495a16523d692222b25df2a4ca8581a1
                                                                    • Instruction Fuzzy Hash: 16418365C1161CB6CB11EBF48C4AADFB3B8AF44310F508956E618E3221FA38A255C7E6
                                                                    Function 00833671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00833697,?), ref: 0083468B
                                                                      • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00833697,?), ref: 008346A4
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 008336B7
                                                                    • _wcscmp.LIBCMT ref: 008336D3
                                                                    • MoveFileW.KERNEL32(?,?), ref: 008336EB
                                                                    • _wcscat.LIBCMT ref: 00833733
                                                                    • SHFileOperationW.SHELL32(?), ref: 0083379F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                    • String ID: \*.*
                                                                    • API String ID: 1377345388-1173974218
                                                                    • Opcode ID: dc61b281ba6e295f4dd2af09bdcbb7d3fe01ff27abaf033932fa03fc6e53fe53
                                                                    • Instruction ID: 59029745c6b3b085064ee0769bd0c330433da2d923403763eb4b71428c237491
                                                                    • Opcode Fuzzy Hash: dc61b281ba6e295f4dd2af09bdcbb7d3fe01ff27abaf033932fa03fc6e53fe53
                                                                    • Instruction Fuzzy Hash: 6E417EB1508344AED751EF64D4469EFB7E8FF98380F40192EB49AC3251EB38D689C792
                                                                    Function 00857291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 008572AA
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857351
                                                                    • IsMenu.USER32(?), ref: 00857369
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008573B1
                                                                    • DrawMenuBar.USER32 ref: 008573C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                    • String ID: 0
                                                                    • API String ID: 3866635326-4108050209
                                                                    • Opcode ID: ded161632662e9e83e19f6062acd0529379ce48817852b33f791a0aad698db75
                                                                    • Instruction ID: 8fa6f36e2114bc7f72862ca5264b7e99f87233814d6ce9583080dc73e870098c
                                                                    • Opcode Fuzzy Hash: ded161632662e9e83e19f6062acd0529379ce48817852b33f791a0aad698db75
                                                                    • Instruction Fuzzy Hash: 58412475A04208EFDB20DF50E884AEABBB9FF08366F548469FD05AB350D730AD58DB50
                                                                    Function 00850FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00850FD4
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00850FFE
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 008510B5
                                                                      • Part of subcall function 00850FA5: RegCloseKey.ADVAPI32(?), ref: 0085101B
                                                                      • Part of subcall function 00850FA5: FreeLibrary.KERNEL32(?), ref: 0085106D
                                                                      • Part of subcall function 00850FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00851090
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00851058
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                    • String ID:
                                                                    • API String ID: 395352322-0
                                                                    • Opcode ID: 0a849f4196e76c6ffcd77139284713dafa8c290428bcf5a97a79c8e30c59f5a1
                                                                    • Instruction ID: 3445b81038f2cb587b73b03f395b186b763257dcf87fb8fc0ef5f9e762f7b252
                                                                    • Opcode Fuzzy Hash: 0a849f4196e76c6ffcd77139284713dafa8c290428bcf5a97a79c8e30c59f5a1
                                                                    • Instruction Fuzzy Hash: 74310A71900609BFDF159B94DC89EFFB7BCFF08351F040169EA01E2181EB749E899AA0
                                                                    Function 008562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008562EC
                                                                    • GetWindowLongW.USER32(01146C50,000000F0), ref: 0085631F
                                                                    • GetWindowLongW.USER32(01146C50,000000F0), ref: 00856354
                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00856386
                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008563B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 008563C1
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008563DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: b3d9eb176c89009898a21c7633e0fbdd5d3a19edaf251794a024193b3bae30a5
                                                                    • Instruction ID: df6afdc71d23f9630e0f2e8fe415c2f440394bb6eab79c8e82ae49fb9a7fc337
                                                                    • Opcode Fuzzy Hash: b3d9eb176c89009898a21c7633e0fbdd5d3a19edaf251794a024193b3bae30a5
                                                                    • Instruction Fuzzy Hash: E7312230600241AFDB21DF18DC84F9537E1FB4A756F9801A8FA01DF2B2DB71A858CB51
                                                                    Function 0082DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DB2E
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DB54
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0082DB57
                                                                    • SysAllocString.OLEAUT32(?), ref: 0082DB75
                                                                    • SysFreeString.OLEAUT32(?), ref: 0082DB7E
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0082DBA3
                                                                    • SysAllocString.OLEAUT32(?), ref: 0082DBB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 3743c21a862e126d642ad6cfd138d06e1e8993ed4c69ac3455356c8275113e63
                                                                    • Instruction ID: 19c930caf894b92e8f8e73d14cc75e7fa6a623a3d2711dbc0e6b68f9676566b0
                                                                    • Opcode Fuzzy Hash: 3743c21a862e126d642ad6cfd138d06e1e8993ed4c69ac3455356c8275113e63
                                                                    • Instruction Fuzzy Hash: DD218176601329AF9F10DFA8EC88CBB77ACFB09371B018525FE14DB251D674AC8587A4
                                                                    Function 00846173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00847D8B: inet_addr.WSOCK32(00000000), ref: 00847DB6
                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 008461C6
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008461D5
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0084620E
                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00846217
                                                                    • WSAGetLastError.WSOCK32 ref: 00846221
                                                                    • closesocket.WSOCK32(00000000), ref: 0084624A
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00846263
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 910771015-0
                                                                    • Opcode ID: 3e980de324d22179656ceb53cbb3868524523e8834dcde9f8254d611ba0021db
                                                                    • Instruction ID: ebbe746c1d685ca1fe402df2c8ad8b823d2dce7b0f736e45cd259753fce88583
                                                                    • Opcode Fuzzy Hash: 3e980de324d22179656ceb53cbb3868524523e8834dcde9f8254d611ba0021db
                                                                    • Instruction Fuzzy Hash: 5F31A431600218ABDF10AF24CC85BBD7BBDFF45715F044029FA05E7291DB74AC149B62
                                                                    Function 0082F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                    • API String ID: 1038674560-2734436370
                                                                    • Opcode ID: 9abd96688fb703bc683ecf22a675e5d10895496619ecc38c1446110d876c4b79
                                                                    • Instruction ID: ba63a4d441c84cacf762c4489f742e8830245350fcb491d7292c260a1ed04747
                                                                    • Opcode Fuzzy Hash: 9abd96688fb703bc683ecf22a675e5d10895496619ecc38c1446110d876c4b79
                                                                    • Instruction Fuzzy Hash: D5214572204575AAC220AA34BC06EB773E8FF65354B10403AFB46C6293EB589D85C3A4
                                                                    Function 0082DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DC09
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DC2F
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0082DC32
                                                                    • SysAllocString.OLEAUT32 ref: 0082DC53
                                                                    • SysFreeString.OLEAUT32 ref: 0082DC5C
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0082DC76
                                                                    • SysAllocString.OLEAUT32(?), ref: 0082DC84
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: be13817fb58d0327d02c5fbc7b09bdf13b1ce1f3cda2c94e3eb16a846d273242
                                                                    • Instruction ID: 161588191621d769799e1d6df87d100cfb7d8ad73629b0ff921f08cd48237d2c
                                                                    • Opcode Fuzzy Hash: be13817fb58d0327d02c5fbc7b09bdf13b1ce1f3cda2c94e3eb16a846d273242
                                                                    • Instruction Fuzzy Hash: 3F214475605318AF9B10DFA8EC88DAB7BECFB09360B508125FA14CB361D678EC85C764
                                                                    Function 008575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                                      • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                                      • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00857632
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085763F
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085764A
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00857659
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00857665
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: ce02034c2eda31ff65708db0c762cab60c9c4ad11415dd8ac5dfee83c6e6b7bf
                                                                    • Instruction ID: af833f32e7b6df60164c89ad84008d2626ccbf9e4e399a9cb7072bbac995e78e
                                                                    • Opcode Fuzzy Hash: ce02034c2eda31ff65708db0c762cab60c9c4ad11415dd8ac5dfee83c6e6b7bf
                                                                    • Instruction Fuzzy Hash: 4B11B6B1150219BFEF159F64CC85EE77F6DFF08798F014115BA04A2050C7729C25DBA4
                                                                    Function 007F9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __init_pointers.LIBCMT ref: 007F9AE6
                                                                      • Part of subcall function 007F3187: EncodePointer.KERNEL32(00000000), ref: 007F318A
                                                                      • Part of subcall function 007F3187: __initp_misc_winsig.LIBCMT ref: 007F31A5
                                                                      • Part of subcall function 007F3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007F9EA0
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007F9EB4
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007F9EC7
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007F9EDA
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007F9EED
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 007F9F00
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 007F9F13
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 007F9F26
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 007F9F39
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 007F9F4C
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 007F9F5F
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 007F9F72
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 007F9F85
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 007F9F98
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 007F9FAB
                                                                      • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 007F9FBE
                                                                    • __mtinitlocks.LIBCMT ref: 007F9AEB
                                                                    • __mtterm.LIBCMT ref: 007F9AF4
                                                                      • Part of subcall function 007F9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,007F9AF9,007F7CD0,0088A0B8,00000014), ref: 007F9C56
                                                                      • Part of subcall function 007F9B5C: _free.LIBCMT ref: 007F9C5D
                                                                      • Part of subcall function 007F9B5C: DeleteCriticalSection.KERNEL32(0088EC00,?,?,007F9AF9,007F7CD0,0088A0B8,00000014), ref: 007F9C7F
                                                                    • __calloc_crt.LIBCMT ref: 007F9B19
                                                                    • __initptd.LIBCMT ref: 007F9B3B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 007F9B42
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                    • String ID:
                                                                    • API String ID: 3567560977-0
                                                                    • Opcode ID: fc797e97c4fab096ab346bffd834b8b94d1d39c316d6f78230816f5519253f21
                                                                    • Instruction ID: 87822536288df4978d4c6f982b287deb68bfaaba4538a79f33358d34bb365319
                                                                    • Opcode Fuzzy Hash: fc797e97c4fab096ab346bffd834b8b94d1d39c316d6f78230816f5519253f21
                                                                    • Instruction Fuzzy Hash: 48F09672619719A9E67477787C0BB7A3A90AF02734F20461AF764C53D6FF5888414261
                                                                    Function 007F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007F3F85), ref: 007F4085
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 007F408C
                                                                    • EncodePointer.KERNEL32(00000000), ref: 007F4097
                                                                    • DecodePointer.KERNEL32(007F3F85), ref: 007F40B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                    • String ID: RoUninitialize$combase.dll
                                                                    • API String ID: 3489934621-2819208100
                                                                    • Opcode ID: 04daacec7f68edf057bf8e08bf2dac1efdf3bee7f594c2b7813608b07517c0ab
                                                                    • Instruction ID: de7949e74cc3a822c17c3d7f2fc95c61d0062d5e54aa7ac1ed8188661da15d5c
                                                                    • Opcode Fuzzy Hash: 04daacec7f68edf057bf8e08bf2dac1efdf3bee7f594c2b7813608b07517c0ab
                                                                    • Instruction Fuzzy Hash: BCE0B670581704EFEB20BF61EC0DB563AA5B704783F14406AF215E12B1CFBE4604CA14
                                                                    Function 008364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 3253778849-0
                                                                    • Opcode ID: 1a44ea1867cdb98926dfc3f4012692738adcbdbdccd52b9821b2ba9a2b0d409a
                                                                    • Instruction ID: 391882657eca446a581bfaafbbfec16b1511587d3b3d9c8ea1830c362bb2e67f
                                                                    • Opcode Fuzzy Hash: 1a44ea1867cdb98926dfc3f4012692738adcbdbdccd52b9821b2ba9a2b0d409a
                                                                    • Instruction Fuzzy Hash: 72619F3190065AEBCF01EF68CC86AFE37A5FF95308F048519F9559B292EB389815DB90
                                                                    Function 008501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008502BD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008502FD
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00850320
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00850349
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0085038C
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00850399
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                    • String ID:
                                                                    • API String ID: 4046560759-0
                                                                    • Opcode ID: f564e694f31610662f27d51135cd8e6bd8d7073422f1ec3235281a7f8fbcb3a5
                                                                    • Instruction ID: 4f79c62d08d84ff17f58cd686b7c395a49d8d06b8fbb6841fad67684c74e03e7
                                                                    • Opcode Fuzzy Hash: f564e694f31610662f27d51135cd8e6bd8d7073422f1ec3235281a7f8fbcb3a5
                                                                    • Instruction Fuzzy Hash: 71513871208204EFC715EF64C849EAEBBA9FF84314F04491DF955872A2DB35E909CB52
                                                                    Function 00855799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 008557FB
                                                                    • GetMenuItemCount.USER32(00000000), ref: 00855832
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0085585A
                                                                    • GetMenuItemID.USER32(?,?), ref: 008558C9
                                                                    • GetSubMenu.USER32(?,?), ref: 008558D7
                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00855928
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                    • String ID:
                                                                    • API String ID: 650687236-0
                                                                    • Opcode ID: 9f6ef73baa677a06c4806f1eb8816fe6f16ceb094d7773233dde5ee7acd14343
                                                                    • Instruction ID: af8508fe935316f5446c11d58b2774eb6251518d1c71cd538f620e8ea7947adb
                                                                    • Opcode Fuzzy Hash: 9f6ef73baa677a06c4806f1eb8816fe6f16ceb094d7773233dde5ee7acd14343
                                                                    • Instruction Fuzzy Hash: 71515A35E00619EFCF01AF64C855AAEBBB4FF48321F144069ED11EB352CB38AE419B90
                                                                    Function 0082EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 0082EF06
                                                                    • VariantClear.OLEAUT32(00000013), ref: 0082EF78
                                                                    • VariantClear.OLEAUT32(00000000), ref: 0082EFD3
                                                                    • _memmove.LIBCMT ref: 0082EFFD
                                                                    • VariantClear.OLEAUT32(?), ref: 0082F04A
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0082F078
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                    • String ID:
                                                                    • API String ID: 1101466143-0
                                                                    • Opcode ID: af52c403f3513ca0c9fa0c87cd296821cdf7b37a4479622d9f57ef311faa94b8
                                                                    • Instruction ID: e89e82bde79ec9a47b2504c1190000643356632855ce8320c355f894ca2b4a12
                                                                    • Opcode Fuzzy Hash: af52c403f3513ca0c9fa0c87cd296821cdf7b37a4479622d9f57ef311faa94b8
                                                                    • Instruction Fuzzy Hash: 5A516CB5A00219DFCB10DF58D884AAAB7F8FF4C314B158569EA49DB302E334E951CFA0
                                                                    Function 0083220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00832258
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008322A3
                                                                    • IsMenu.USER32(00000000), ref: 008322C3
                                                                    • CreatePopupMenu.USER32 ref: 008322F7
                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00832355
                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00832386
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                    • String ID:
                                                                    • API String ID: 3311875123-0
                                                                    • Opcode ID: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
                                                                    • Instruction ID: 0c130f02b911f6016b8339f77d43f89fd1757559d97731336563f4e5466e6236
                                                                    • Opcode Fuzzy Hash: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
                                                                    • Instruction Fuzzy Hash: 25519C70601209EBDF21DF68D888BAEBBF5FF85318F104169E851E72A1D3799944CB91
                                                                    Function 007D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 007D179A
                                                                    • GetWindowRect.USER32(?,?), ref: 007D17FE
                                                                    • ScreenToClient.USER32(?,?), ref: 007D181B
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D182C
                                                                    • EndPaint.USER32(?,?), ref: 007D1876
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 1827037458-0
                                                                    • Opcode ID: a840d76267d14137f00142e1ad901c35ffd6607d05d4c240d39827bc4c60ac30
                                                                    • Instruction ID: 3cb36c631489b3961a2544a2407ca7b09a8463ca99b6d12800f4d6f5231ffa3d
                                                                    • Opcode Fuzzy Hash: a840d76267d14137f00142e1ad901c35ffd6607d05d4c240d39827bc4c60ac30
                                                                    • Instruction Fuzzy Hash: F6417E30504700AFD711EF25CC84BAA7BF8FB59724F14467AFAA4872B2C7359845DB61
                                                                    Function 0085B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(008957B0,00000000,01146C50,?,?,008957B0,?,0085B5A8,?,?), ref: 0085B712
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0085B736
                                                                    • ShowWindow.USER32(008957B0,00000000,01146C50,?,?,008957B0,?,0085B5A8,?,?), ref: 0085B796
                                                                    • ShowWindow.USER32(00000000,00000004,?,0085B5A8,?,?), ref: 0085B7A8
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0085B7CC
                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0085B7EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
                                                                    • Instruction ID: a13e2a230507936268402e70aaac456cd14df5ada37ef36b84457a3787d7d755
                                                                    • Opcode Fuzzy Hash: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
                                                                    • Instruction Fuzzy Hash: C9416134600244AFDB26CF24C499B957BE1FF59312F1881B9FE48CF6A2C731A85ACB51
                                                                    Function 0084709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00844E41,?,?,00000000,00000001), ref: 008470AC
                                                                      • Part of subcall function 008439A0: GetWindowRect.USER32(?,?), ref: 008439B3
                                                                    • GetDesktopWindow.USER32 ref: 008470D6
                                                                    • GetWindowRect.USER32(00000000), ref: 008470DD
                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0084710F
                                                                      • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                                    • GetCursorPos.USER32(?), ref: 0084713B
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00847199
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                    • String ID:
                                                                    • API String ID: 4137160315-0
                                                                    • Opcode ID: b7eb86a3b33b02d788045a3c9c854ba50b02b511498e817e9e32ebe7693c7f7d
                                                                    • Instruction ID: 8ba7b894243f6b519a4846f5304e7dc4948ffbe90678c1e2e25bb235b4fe882b
                                                                    • Opcode Fuzzy Hash: b7eb86a3b33b02d788045a3c9c854ba50b02b511498e817e9e32ebe7693c7f7d
                                                                    • Instruction Fuzzy Hash: 3A318172509309ABD720DF14D849A9BBBEAFB88314F000919F585E7192D775EA09CB92
                                                                    Function 00828879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008280C0
                                                                      • Part of subcall function 008280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008280CA
                                                                      • Part of subcall function 008280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008280D9
                                                                      • Part of subcall function 008280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008280E0
                                                                      • Part of subcall function 008280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008280F6
                                                                    • GetLengthSid.ADVAPI32(?,00000000,0082842F), ref: 008288CA
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008288D6
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 008288DD
                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 008288F6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0082842F), ref: 0082890A
                                                                    • HeapFree.KERNEL32(00000000), ref: 00828911
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                    • String ID:
                                                                    • API String ID: 3008561057-0
                                                                    • Opcode ID: b8d634d2cba916d8afbc1fe23f3f2e80e80a95e1b042f09b691e103c0fbafc47
                                                                    • Instruction ID: d2e68d0617af4d8df37cc61664b3b5b1f6eda522b21c594ca7e1f77c8b1c2886
                                                                    • Opcode Fuzzy Hash: b8d634d2cba916d8afbc1fe23f3f2e80e80a95e1b042f09b691e103c0fbafc47
                                                                    • Instruction Fuzzy Hash: 9B11B171502619FFDF119FA4EC09BBE7BA8FB44316F148028E945D7211CB369D84DB60
                                                                    Function 008285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008285E2
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 008285E9
                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008285F8
                                                                    • CloseHandle.KERNEL32(00000004), ref: 00828603
                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00828632
                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00828646
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                    • String ID:
                                                                    • API String ID: 1413079979-0
                                                                    • Opcode ID: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
                                                                    • Instruction ID: 23f8380029eaa72fb4b91fe366a15d5ddba310d5aba6110add42cafba7236fdc
                                                                    • Opcode Fuzzy Hash: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
                                                                    • Instruction Fuzzy Hash: C71147B2501249EBDF018FA4ED49BDA7BA9FB08305F044064FE04A21A1C7769DA0AB60
                                                                    Function 0082B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 0082B7B5
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0082B7C6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0082B7CD
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0082B7D5
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082B7EC
                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0082B7FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: 7375a8b9910f81fc7e5f4273e5c5f363e9030063f565d52856528e302d34cd65
                                                                    • Instruction ID: e7e98290a870caf600e48fd53fa92c6ec26016f328a6cba7723ac18beea5911e
                                                                    • Opcode Fuzzy Hash: 7375a8b9910f81fc7e5f4273e5c5f363e9030063f565d52856528e302d34cd65
                                                                    • Instruction Fuzzy Hash: E9017175E00719BBEF109BA69C45A5ABFA8FB48311F004065FA04E7291D6309C00CF91
                                                                    Function 007F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F0193
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 007F019B
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F01A6
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F01B1
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 007F01B9
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 007F01C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
                                                                    • Instruction ID: 013104a061c85d5d0551f969749005f273b7dde5f8e45d9bef76f6aa3116bbdb
                                                                    • Opcode Fuzzy Hash: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
                                                                    • Instruction Fuzzy Hash: 6A016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47942C7F5A864CBE5
                                                                    Function 008353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008353F9
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0083540F
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0083541E
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083542D
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00835437
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083543E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
                                                                    • Instruction ID: 246be81e3b57839c4139d461cccd961002565588b3c384754698aa394b324d10
                                                                    • Opcode Fuzzy Hash: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
                                                                    • Instruction Fuzzy Hash: D4F01271141658BBE7215B52DC0DEEB7F7CFBD6B12F000169FB05D105296A51A0186B5
                                                                    Function 00837230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00837243
                                                                    • EnterCriticalSection.KERNEL32(?,?,007E0EE4,?,?), ref: 00837254
                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,007E0EE4,?,?), ref: 00837261
                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,007E0EE4,?,?), ref: 0083726E
                                                                      • Part of subcall function 00836C35: CloseHandle.KERNEL32(00000000,?,0083727B,?,007E0EE4,?,?), ref: 00836C3F
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00837281
                                                                    • LeaveCriticalSection.KERNEL32(?,?,007E0EE4,?,?), ref: 00837288
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
                                                                    • Instruction ID: cb7fc04a781f8b9f9c9768dd8dd30043ce237a6193d4ff7e41bc0d5104078ba8
                                                                    • Opcode Fuzzy Hash: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
                                                                    • Instruction Fuzzy Hash: 3EF05EB6541712EBEB122B64ED4C9DB772AFF45703F500531F603914A2DB7A5815CB90
                                                                    Function 00828992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082899D
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 008289A9
                                                                    • CloseHandle.KERNEL32(?), ref: 008289B2
                                                                    • CloseHandle.KERNEL32(?), ref: 008289BA
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 008289C3
                                                                    • HeapFree.KERNEL32(00000000), ref: 008289CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
                                                                    • Instruction ID: 4dbc0c80f970eb709fd5b187118ba4637ec762263d90b2b7a558a1a8551761de
                                                                    • Opcode Fuzzy Hash: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
                                                                    • Instruction Fuzzy Hash: 00E0C236044601FBDA022FE1EC0C94ABB69FB89323B508230F31981571CB3AA420DB50
                                                                    Function 008485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00848613
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00848722
                                                                    • VariantClear.OLEAUT32(?), ref: 0084889A
                                                                      • Part of subcall function 00837562: VariantInit.OLEAUT32(00000000), ref: 008375A2
                                                                      • Part of subcall function 00837562: VariantCopy.OLEAUT32(00000000,?), ref: 008375AB
                                                                      • Part of subcall function 00837562: VariantClear.OLEAUT32(00000000), ref: 008375B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4237274167-1221869570
                                                                    • Opcode ID: c2b50d39a4d0cc1d744635c881c2c6a18f2d9ce1392cbe4becbb46b956546cd3
                                                                    • Instruction ID: d1aa850d4c034bfcf42816f097b9bb13bfac031b5675ad27d6cec42bae34caf3
                                                                    • Opcode Fuzzy Hash: c2b50d39a4d0cc1d744635c881c2c6a18f2d9ce1392cbe4becbb46b956546cd3
                                                                    • Instruction Fuzzy Hash: CB912471604309DFC710DF28C48495ABBE4FB89714F14892EF99ADB361DB34E945CB92
                                                                    Function 00832A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                                    • _memset.LIBCMT ref: 00832B87
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00832BB6
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00832C69
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00832C97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                    • String ID: 0
                                                                    • API String ID: 4152858687-4108050209
                                                                    • Opcode ID: 1e3b45d5cc0387ef1855b3443299d0200727f4de6347dda10bf8d92f12edb85d
                                                                    • Instruction ID: 797411052bfb9327ad52dde67cae9e85b82c48c66f1d847ebbce66c740f272c6
                                                                    • Opcode Fuzzy Hash: 1e3b45d5cc0387ef1855b3443299d0200727f4de6347dda10bf8d92f12edb85d
                                                                    • Instruction Fuzzy Hash: D351DC716083109BDB25AF28D849A6FB7E8FFC8320F141A2DF991D2291DB74CD0687D2
                                                                    Function 007E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$_free
                                                                    • String ID: 3c~$_~
                                                                    • API String ID: 2620147621-657907094
                                                                    • Opcode ID: 3bd3b061ba03e511c460d8cfa2f4484a85cc9b72badcce5dacf5e6c241c58659
                                                                    • Instruction ID: 85e0b009324fe91273c52e07f442752bd496bb539dd9e2937ab500e45b979afb
                                                                    • Opcode Fuzzy Hash: 3bd3b061ba03e511c460d8cfa2f4484a85cc9b72badcce5dacf5e6c241c58659
                                                                    • Instruction Fuzzy Hash: B8517C716053818FDB25CF29C844B6ABBE5FF8A314F44492DE989C7391EB35E941CB82
                                                                    Function 007E6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_memmove
                                                                    • String ID: 3c~$ERCP
                                                                    • API String ID: 2532777613-2728011545
                                                                    • Opcode ID: f79fe18a2ee187d2bd9e39bc6155d4fea9085e7339def0d911e93ea09f0c5cd1
                                                                    • Instruction ID: bf045732bba35c5c91a11facc0aa42ad973ea9188c6e690aea52b6bccfc9a046
                                                                    • Opcode Fuzzy Hash: f79fe18a2ee187d2bd9e39bc6155d4fea9085e7339def0d911e93ea09f0c5cd1
                                                                    • Instruction Fuzzy Hash: 3951D270901309DBDB24DFA6C8457AAB7F8FF18344F20856EEA4AD7241E774EA84CB40
                                                                    Function 0082D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0082D5D4
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082D60A
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082D61B
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0082D69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: 281a39c1eb414920077fa7ecc0e252271219883e322727f64fb739cdb3315adb
                                                                    • Instruction ID: efac2032f6df9bf25b652d613c6b89eb39af91266c1328f349f0b66cd052796b
                                                                    • Opcode Fuzzy Hash: 281a39c1eb414920077fa7ecc0e252271219883e322727f64fb739cdb3315adb
                                                                    • Instruction Fuzzy Hash: 08419BB1600324EFDB05CF64D884A9ABFAAFF54314F1180A9AD09DF206D7B4D984CBE0
                                                                    Function 00832753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 008327C0
                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008327DC
                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00832822
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00895890,00000000), ref: 0083286B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1173514356-4108050209
                                                                    • Opcode ID: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
                                                                    • Instruction ID: 51686cc8dac8b1a07c7305dc1e0960a7106e2b754e1535b8c34ffb1dece1805b
                                                                    • Opcode Fuzzy Hash: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
                                                                    • Instruction Fuzzy Hash: D6418E702043419FD724DF28C844B2ABBE9FFC5314F14492EF9A6D7292D734A905CB92
                                                                    Function 0084D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084D7C5
                                                                      • Part of subcall function 007D784B: _memmove.LIBCMT ref: 007D7899
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower_memmove
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 3425801089-567219261
                                                                    • Opcode ID: 42246af9940a99a92177c573e8f0aa7b667c2b0a3a042ba8e700d7995bb94a44
                                                                    • Instruction ID: 1859de0b381d3f23409f241b948801350727a09e4908c78605dfabfe25bec2dd
                                                                    • Opcode Fuzzy Hash: 42246af9940a99a92177c573e8f0aa7b667c2b0a3a042ba8e700d7995bb94a44
                                                                    • Instruction Fuzzy Hash: 1E318B7190461DEBCF00EF58C8559BEB3B5FF14320B108A2AE865E77D2DB75A905CB80
                                                                    Function 00828E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00828F14
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00828F27
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00828F57
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 365058703-1403004172
                                                                    • Opcode ID: 9726185aebeb66396fa62b2ca7790113190d7368a39d313ea9f7a94c01dafbfb
                                                                    • Instruction ID: 49aaa18bb2582b0f1fe721b5ecc4657f29a5172ac65e4019330b2c1b718b74b6
                                                                    • Opcode Fuzzy Hash: 9726185aebeb66396fa62b2ca7790113190d7368a39d313ea9f7a94c01dafbfb
                                                                    • Instruction Fuzzy Hash: 7C21E171A01108FADF18ABB4DC89CFFB7B9EF05320F14412AF821A72E1DE395849D610
                                                                    Function 0084182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084184C
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00841872
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008418A2
                                                                    • InternetCloseHandle.WININET(00000000), ref: 008418E9
                                                                      • Part of subcall function 00842483: GetLastError.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 00842498
                                                                      • Part of subcall function 00842483: SetEvent.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 008424AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 3113390036-3916222277
                                                                    • Opcode ID: a46addc27bd1997a8510b02caefcd03711bd4702d66b967d23ce10bee7969aef
                                                                    • Instruction ID: cfae0e0de7dd00b63736fb9403150c41cd72c8cd27447302d24c0794475cef9e
                                                                    • Opcode Fuzzy Hash: a46addc27bd1997a8510b02caefcd03711bd4702d66b967d23ce10bee7969aef
                                                                    • Instruction Fuzzy Hash: 2C21BBB150030CBFEB119B64CC89EBB7BEDFB88749F10413AF905E3240EA288D4497A1
                                                                    Function 008563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                                      • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                                      • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00856461
                                                                    • LoadLibraryW.KERNEL32(?), ref: 00856468
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0085647D
                                                                    • DestroyWindow.USER32(?), ref: 00856485
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 4146253029-1011021900
                                                                    • Opcode ID: 23f9ff41c2403f331ac2e9376c3e7031054a7d5608e56c77091008497b0a41dc
                                                                    • Instruction ID: 541908de8fe19e5c7ca07997d09076e30a3accc75bc0cbba59a5eaffb6836be0
                                                                    • Opcode Fuzzy Hash: 23f9ff41c2403f331ac2e9376c3e7031054a7d5608e56c77091008497b0a41dc
                                                                    • Instruction Fuzzy Hash: 12218B71200205BBEF104FA4DC80EBB77A9FB58369F904629FE10D3191E7359C659764
                                                                    Function 00836D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00836DBC
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00836DEF
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00836E01
                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00836E3B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: 9d794cb85d7ae682d8dee3a5f2f85b984e7805dcfc809fded80ec3dc479a8aab
                                                                    • Instruction ID: 6aba2d91945f68db68f1aa171c515f3bf1448717b10779ad3f424af2547268f9
                                                                    • Opcode Fuzzy Hash: 9d794cb85d7ae682d8dee3a5f2f85b984e7805dcfc809fded80ec3dc479a8aab
                                                                    • Instruction Fuzzy Hash: CB219574600309BBDB209F2DDC04A9977F4FF85721F208629FDA0D72D0EB7199658B90
                                                                    Function 00836E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00836E89
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00836EBB
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00836ECC
                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00836F06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: 2bd2789e3f2993bb72f056b3ba88bc5580563ef432e2aabbb286311bd6a24e86
                                                                    • Instruction ID: ce60d5122b2c90353396838a54e1ad9c89b350c1777e8373710702118ba7ad42
                                                                    • Opcode Fuzzy Hash: 2bd2789e3f2993bb72f056b3ba88bc5580563ef432e2aabbb286311bd6a24e86
                                                                    • Instruction Fuzzy Hash: 0E21B275500305EBDB209FADCC04A9A77E8FF84720F308A19F9A0D72D0EB74986587A1
                                                                    Function 0083AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0083AC54
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0083ACA8
                                                                    • __swprintf.LIBCMT ref: 0083ACC1
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0085F910), ref: 0083ACFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                    • String ID: %lu
                                                                    • API String ID: 3164766367-685833217
                                                                    • Opcode ID: ad3ce45f34d115f47660891a0ea7b347908658028bbfe17db1583560794c789c
                                                                    • Instruction ID: b6ec93308943756e58ee3114c21899e95954a93810a5d33e2072e99cf9641d83
                                                                    • Opcode Fuzzy Hash: ad3ce45f34d115f47660891a0ea7b347908658028bbfe17db1583560794c789c
                                                                    • Instruction Fuzzy Hash: AB216031A00209EFCB10DF68CD45DAE7BB8FF89715B004069F909EB352DA35EA41CB61
                                                                    Function 00831AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00831B19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                    • API String ID: 3964851224-769500911
                                                                    • Opcode ID: e61d8e5009581c20661225852dabf3d04c953daca8ab2d732a5db1edf8bd7452
                                                                    • Instruction ID: 3275a4d05c649a1b56e91519bb7acd3c62c7c6cc1065a892db7b17d5fa6d3d5a
                                                                    • Opcode Fuzzy Hash: e61d8e5009581c20661225852dabf3d04c953daca8ab2d732a5db1edf8bd7452
                                                                    • Instruction Fuzzy Hash: 75113970900209CBCF00EFA4D9698BEF7B4FF66704F5084A9D914A7792EB36590ACB90
                                                                    Function 0084EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084EC07
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084EC37
                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0084ED6A
                                                                    • CloseHandle.KERNEL32(?), ref: 0084EDEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                    • String ID:
                                                                    • API String ID: 2364364464-0
                                                                    • Opcode ID: 62d48dbcd51016e223596b0df46912e0364770d70a44e9fabb0502d08c72bca4
                                                                    • Instruction ID: ec78b1384d361a10aed4f360c2d027e7da48614247402f95be55fea662e01781
                                                                    • Opcode Fuzzy Hash: 62d48dbcd51016e223596b0df46912e0364770d70a44e9fabb0502d08c72bca4
                                                                    • Instruction Fuzzy Hash: 99812E716047109FD760EF28C886B2AB7E5FF48720F14881EFA99DB3D2D674AC408B52
                                                                    Function 00850037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008500FD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0085013C
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00850183
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 008501AF
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 008501BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                    • String ID:
                                                                    • API String ID: 3440857362-0
                                                                    • Opcode ID: 9a06f02dc214223abb9fead4fefbaf10c3e3e57ae94ba6a6f10718e9b734aaab
                                                                    • Instruction ID: 08d607036445dd2d962abc40a9ee665372cd1d137e5afce8fb70182f0a734078
                                                                    • Opcode Fuzzy Hash: 9a06f02dc214223abb9fead4fefbaf10c3e3e57ae94ba6a6f10718e9b734aaab
                                                                    • Instruction Fuzzy Hash: 5E514A71208604AFC704EF58C885E6AB7F9FF84315F44891EF995C7292EB35E908CB52
                                                                    Function 0084D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084D927
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0084D9AA
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0084D9C6
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0084DA07
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DA21
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 327935632-0
                                                                    • Opcode ID: 36a1246832ff5f0ce1715d8f7363b415d629c1dd6fdd830fe834551ee63d17bf
                                                                    • Instruction ID: 4729cdb88d857fdb3c9207c063927593a0d52fd146cfa7b9a8e118d5ab9c6fa0
                                                                    • Opcode Fuzzy Hash: 36a1246832ff5f0ce1715d8f7363b415d629c1dd6fdd830fe834551ee63d17bf
                                                                    • Instruction Fuzzy Hash: 23512675A00619DFCB00EFA8C4889ADBBF5FF09324B048066E959EB312D734AD45CF91
                                                                    Function 0083E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0083E61F
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0083E648
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0083E687
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0083E6AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0083E6B4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1389676194-0
                                                                    • Opcode ID: f87f7bb7dd4b17f64dc4121e8f13364540c04de10730da7379a3dd1b95eca233
                                                                    • Instruction ID: ca4db3df488827bb2201ff2a64ca1ce654460973f9076351f0735751d543bfde
                                                                    • Opcode Fuzzy Hash: f87f7bb7dd4b17f64dc4121e8f13364540c04de10730da7379a3dd1b95eca233
                                                                    • Instruction Fuzzy Hash: 39512A75A00205DFCB01EF64C9859AEBBF5FF49314F1480A9E909AB362DB35ED11DB50
                                                                    Function 0085A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d29470f3bb162fb33de4a4c8eb90f0921ad9df48036b7f9d12e8643aa21c4ef5
                                                                    • Instruction ID: f498424dd7791148b4642dd711e837ade8f9385f294330700bf6a0b0914b064f
                                                                    • Opcode Fuzzy Hash: d29470f3bb162fb33de4a4c8eb90f0921ad9df48036b7f9d12e8643aa21c4ef5
                                                                    • Instruction Fuzzy Hash: 1741B335944A08AFD718DB28CCC8FA9BBA4FB09352F140265FD16E72E1DB309D49DA51
                                                                    Function 007D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 007D2357
                                                                    • ScreenToClient.USER32(008957B0,?), ref: 007D2374
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 007D2399
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 007D23A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 06ac84e9c00a54b7981082a3bf772ed39484e9db0bf00307f969133f9a4c3db6
                                                                    • Instruction ID: b9659cd4aa2ae6962f0f001e71a735b31d7cf571d4861dfd9e5bedca03416371
                                                                    • Opcode Fuzzy Hash: 06ac84e9c00a54b7981082a3bf772ed39484e9db0bf00307f969133f9a4c3db6
                                                                    • Instruction Fuzzy Hash: A241AF75604209FBCF159F68CC44AE9BB74FB15320F20431AF828D32E1CB389955DB91
                                                                    Function 008263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008263E7
                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00826433
                                                                    • TranslateMessage.USER32(?), ref: 0082645C
                                                                    • DispatchMessageW.USER32(?), ref: 00826466
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00826475
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                    • String ID:
                                                                    • API String ID: 2108273632-0
                                                                    • Opcode ID: 5f4d55585feb20fca7999236dcdc3f78a4e8cbde26c21a824cb26837ad40c90b
                                                                    • Instruction ID: fd5686da67ce613f3a5c1b660c20224b523f78f82c64ebb791f689f886da3cd0
                                                                    • Opcode Fuzzy Hash: 5f4d55585feb20fca7999236dcdc3f78a4e8cbde26c21a824cb26837ad40c90b
                                                                    • Instruction Fuzzy Hash: 9F31E531900666EFDB25EFB0EC48BB67BE8FB01304F180166E561C31A1F72594E9DBA0
                                                                    Function 00828A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00828A30
                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00828ADA
                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00828AE2
                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00828AF0
                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00828AF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
                                                                    • Instruction ID: 9ff1818779c28f7b41d0b4fcc1d181be51e639c224efb4bbb040a51db3fe6dcb
                                                                    • Opcode Fuzzy Hash: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
                                                                    • Instruction Fuzzy Hash: D931E071501229EFDF14CFA8E94CA9E3BB5FB04316F10822AF925E71D1CBB49954CB91
                                                                    Function 0082B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 0082B204
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0082B221
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0082B259
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0082B27F
                                                                    • _wcsstr.LIBCMT ref: 0082B289
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 3902887630-0
                                                                    • Opcode ID: 2b4723c0329173b2f1d2de746b80f7d92036ba00e2bece844302a43158ea6fc0
                                                                    • Instruction ID: 365107395fdab250249ed36e54d1a94e3ceed11b34236f75cb32f188c1585b2b
                                                                    • Opcode Fuzzy Hash: 2b4723c0329173b2f1d2de746b80f7d92036ba00e2bece844302a43158ea6fc0
                                                                    • Instruction Fuzzy Hash: C5210772605314FBEB159B79AC09E7F7B9CEF49710F104139F904DA2A2EF65DC8092A0
                                                                    Function 0085B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0085B192
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0085B1B7
                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0085B1CF
                                                                    • GetSystemMetrics.USER32(00000004), ref: 0085B1F8
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00840E90,00000000), ref: 0085B216
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 2294984445-0
                                                                    • Opcode ID: 7d67f23cfd4203c8cef89165abacad7ba29e9eb2463375e90b38143980577f37
                                                                    • Instruction ID: 4cd90cf5e27491c88eb390980bc3944f50dbd2c14862482cbee7827fb09f7a5b
                                                                    • Opcode Fuzzy Hash: 7d67f23cfd4203c8cef89165abacad7ba29e9eb2463375e90b38143980577f37
                                                                    • Instruction Fuzzy Hash: 3821A171A60655AFCB109F78DC18A6A3BA4FB25362F144739FD32D71E0E7309814CB90
                                                                    Function 00829307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00829320
                                                                      • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829352
                                                                    • __itow.LIBCMT ref: 0082936A
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829392
                                                                    • __itow.LIBCMT ref: 008293A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow$_memmove
                                                                    • String ID:
                                                                    • API String ID: 2983881199-0
                                                                    • Opcode ID: b738f274ab8d1c293d7e048741a31f2c080fe6171b914dad71e19b40d56433e2
                                                                    • Instruction ID: e73ad8da24c9053957c3f1bf05e6eef56b78b4c0a34601cd4efada340ce13478
                                                                    • Opcode Fuzzy Hash: b738f274ab8d1c293d7e048741a31f2c080fe6171b914dad71e19b40d56433e2
                                                                    • Instruction Fuzzy Hash: 2B21C531700218ABDB10EA649C8DEBE7BADFB58710F045026FE85D73D1E6B48D85C7A1
                                                                    Function 00845A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00845A6E
                                                                    • GetForegroundWindow.USER32 ref: 00845A85
                                                                    • GetDC.USER32(00000000), ref: 00845AC1
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00845ACD
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00845B08
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: 1710b847e641523b2c35c01c6289bc3b82d1064e3b51a9f57a1acf8323431984
                                                                    • Instruction ID: 26574c5ec9d5f1812e27ecdda9df41db380653d501f11046f1cfc7283d22c0aa
                                                                    • Opcode Fuzzy Hash: 1710b847e641523b2c35c01c6289bc3b82d1064e3b51a9f57a1acf8323431984
                                                                    • Instruction Fuzzy Hash: 51215075A00208AFDB14EF69D888A6ABBF5FF48311F148479F909D7352CA74AD00CB90
                                                                    Function 007D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
                                                                    • SelectObject.GDI32(?,00000000), ref: 007D135C
                                                                    • BeginPath.GDI32(?), ref: 007D1373
                                                                    • SelectObject.GDI32(?,00000000), ref: 007D139C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: 80b1d4ead50e7370ade45f6a0f5733f6252cb78f8457f0567aaa88575ff1625b
                                                                    • Instruction ID: b7ab3ce6680bdae7365dbcf84b27b230145460a8de65a185041d7eb33cbefd00
                                                                    • Opcode Fuzzy Hash: 80b1d4ead50e7370ade45f6a0f5733f6252cb78f8457f0567aaa88575ff1625b
                                                                    • Instruction Fuzzy Hash: 26217130801B08EFDB12AF25DD0876A7BB8FB10722F5C4227F811A66B1D7799891DF90
                                                                    Function 0082BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: bf9fd7ea538d4562b3216959fbe2af3f119bd628cd622c45fdfe2202e87adb31
                                                                    • Instruction ID: 9e8b68b50e54a10eca3afb38fb3d42d41e5ba7763a5d56d4f7a7017a3b9c6d90
                                                                    • Opcode Fuzzy Hash: bf9fd7ea538d4562b3216959fbe2af3f119bd628cd622c45fdfe2202e87adb31
                                                                    • Instruction Fuzzy Hash: 8B0180B160252DBAD2046B116D42FBBA75CFF603A8F044021FE15D6382EB59DE9082A0
                                                                    Function 00834A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00834ABA
                                                                    • __beginthreadex.LIBCMT ref: 00834AD8
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00834AED
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00834B03
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00834B0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 3824534824-0
                                                                    • Opcode ID: c9361c9026a178edee0b1f07328af20462791af1de9a3f7f657909c9a37c21c4
                                                                    • Instruction ID: 900c3a88be833b12b8d7f70ddac174992ce9f3d9b8707b07212ab9f0b1ebac54
                                                                    • Opcode Fuzzy Hash: c9361c9026a178edee0b1f07328af20462791af1de9a3f7f657909c9a37c21c4
                                                                    • Instruction Fuzzy Hash: 3E110476905618BBC702AFE8AC08A9B7FACFB85321F18426AF924D3351D675D90087E0
                                                                    Function 00828202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0082821E
                                                                    • GetLastError.KERNEL32(?,00827CE2,?,?,?), ref: 00828228
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00827CE2,?,?,?), ref: 00828237
                                                                    • HeapAlloc.KERNEL32(00000000,?,00827CE2,?,?,?), ref: 0082823E
                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00828255
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
                                                                    • Instruction ID: 0dea407fa3fcd190319aad29bf5972b158a2a76e2844323a5dca1c972dcc928f
                                                                    • Opcode Fuzzy Hash: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
                                                                    • Instruction Fuzzy Hash: 2D016971242724FFDF204FA6EC48DAB7BACFF8A756B500469F909C3220DA358C40CA60
                                                                    Function 0082710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?,?,00827455), ref: 00827127
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827142
                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827150
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?), ref: 00827160
                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 0082716C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: edafb01982287621783a3a3da7396c041aa5b5ca6b881ace0b87ecdba9fbf8e4
                                                                    • Instruction ID: 0830ac3391511a71cde35a1ed6180324a43e07e4ca7834a2ce4b362e909e6353
                                                                    • Opcode Fuzzy Hash: edafb01982287621783a3a3da7396c041aa5b5ca6b881ace0b87ecdba9fbf8e4
                                                                    • Instruction Fuzzy Hash: 7A018472601324BBDB114F65EC44BAA7BADFF48752F140074FE04D2211D735DD909BA0
                                                                    Function 00835244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835260
                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0083526E
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835276
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835280
                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: e7c8804debd60b4943cb0fa4dde6821b76492cb9e86a46cb828de0229e500197
                                                                    • Instruction ID: dc2ed090014a08b53979501babca574096034a0e1e423c153c8ee56b7eeaaa27
                                                                    • Opcode Fuzzy Hash: e7c8804debd60b4943cb0fa4dde6821b76492cb9e86a46cb828de0229e500197
                                                                    • Instruction Fuzzy Hash: FA012931D02A1DDBCF00EFE4EC49AEEBB78FB49712F410556EA45F2291CB34955487A1
                                                                    Function 0082810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828121
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0082812B
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082813A
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00828141
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828157
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
                                                                    • Instruction ID: bff57e943c46d766b449c1435ca34df3b83d7bec011bfb305545a193cbe16bfb
                                                                    • Opcode Fuzzy Hash: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
                                                                    • Instruction Fuzzy Hash: 07F0C270242324EFEB120FA4EC8DE6B3BACFF49755F000025FA45C3191CB649C55DA60
                                                                    Function 0082C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0082C1F7
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0082C20E
                                                                    • MessageBeep.USER32(00000000), ref: 0082C226
                                                                    • KillTimer.USER32(?,0000040A), ref: 0082C242
                                                                    • EndDialog.USER32(?,00000001), ref: 0082C25C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: 9f84859f1a7658db4564a56509664cb59fa75e2a2b594d6f59ea861d6619fd46
                                                                    • Instruction ID: eb80ff3be8fff552892294daf065b306f6a538341d13f8208721ff41dbf20304
                                                                    • Opcode Fuzzy Hash: 9f84859f1a7658db4564a56509664cb59fa75e2a2b594d6f59ea861d6619fd46
                                                                    • Instruction Fuzzy Hash: 9801A730404314D7EB206B60ED4EFA677B8FF10707F00026AB642D14E1DBE469848B50
                                                                    Function 007D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndPath.GDI32(?), ref: 007D13BF
                                                                    • StrokeAndFillPath.GDI32(?,?,0080B888,00000000,?), ref: 007D13DB
                                                                    • SelectObject.GDI32(?,00000000), ref: 007D13EE
                                                                    • DeleteObject.GDI32 ref: 007D1401
                                                                    • StrokePath.GDI32(?), ref: 007D141C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                    • String ID:
                                                                    • API String ID: 2625713937-0
                                                                    • Opcode ID: 6c340df5fe38538d324cb24d85a28841f35ab12c35cb9ab3507dad7a16376884
                                                                    • Instruction ID: 6ed18c7075f3d240c8a1c959f138882a19abbd5718e49fa37919dea18e5b3d38
                                                                    • Opcode Fuzzy Hash: 6c340df5fe38538d324cb24d85a28841f35ab12c35cb9ab3507dad7a16376884
                                                                    • Instruction Fuzzy Hash: 37F0B230005B48EBDB126F26EC4C75A3FA4BB01326F5C8236F529991F2C7398995DF60
                                                                    Function 007E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                                      • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 007D7A51: _memmove.LIBCMT ref: 007D7AAB
                                                                    • __swprintf.LIBCMT ref: 007E2ECD
                                                                    Strings
                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007E2D66
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                    • API String ID: 1943609520-557222456
                                                                    • Opcode ID: f87b6624ccf914cc867524876d63a1c8a18680261603870a9340e65671b373da
                                                                    • Instruction ID: 1929b6faeaf90264bb6c6770fe0182370e8fcc6df4bf45cea9ca3cf701704e6f
                                                                    • Opcode Fuzzy Hash: f87b6624ccf914cc867524876d63a1c8a18680261603870a9340e65671b373da
                                                                    • Instruction Fuzzy Hash: 64914C71108255DFC718EF28C89986EB7B8FF89710F04491EF5859B2A2EA38ED45CB52
                                                                    Function 0083B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                                    • CoInitialize.OLE32(00000000), ref: 0083B9BB
                                                                    • CoCreateInstance.OLE32(00862D6C,00000000,00000001,00862BDC,?), ref: 0083B9D4
                                                                    • CoUninitialize.OLE32 ref: 0083B9F1
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                    • String ID: .lnk
                                                                    • API String ID: 2126378814-24824748
                                                                    • Opcode ID: f4cf7005682ceb4b5e317bce9ba668a095f61538b52daaf4fc87717eba9f41a8
                                                                    • Instruction ID: 4290cf166600a67cbbe277548c5334ae8a9b9bb40540ec5a9f6b115e6788ef89
                                                                    • Opcode Fuzzy Hash: f4cf7005682ceb4b5e317bce9ba668a095f61538b52daaf4fc87717eba9f41a8
                                                                    • Instruction Fuzzy Hash: B9A121B56042059FCB00DF14C884D2ABBE5FF89724F048999F9999B3A2CB35EC45CB91
                                                                    Function 007F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 007F50AD
                                                                      • Part of subcall function 008000F0: __87except.LIBCMT ref: 0080012B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__87except__start
                                                                    • String ID: pow
                                                                    • API String ID: 2905807303-2276729525
                                                                    • Opcode ID: 6d280a8068af769aa888b7944c0b2211b336445beaecdc48497dde00040ff0e3
                                                                    • Instruction ID: 98a9104e822b782fb793fb031df1153c6579dacf8c7f9ab26de48faa8c5dc77f
                                                                    • Opcode Fuzzy Hash: 6d280a8068af769aa888b7944c0b2211b336445beaecdc48497dde00040ff0e3
                                                                    • Instruction Fuzzy Hash: AA514931A08A0A96DB527728CD0537E3B95FB41710F208D59E6D5C63EAEE388DC49EC6
                                                                    Function 00818584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID: 3c~$_~
                                                                    • API String ID: 4104443479-657907094
                                                                    • Opcode ID: f12567dbf6c2b4a9841872f143caa880fa751b8f283e9f202e7d8794b01d2e97
                                                                    • Instruction ID: 805d053e914965350157ce40c317113f286a348aff3dc155751e3de9ede58918
                                                                    • Opcode Fuzzy Hash: f12567dbf6c2b4a9841872f143caa880fa751b8f283e9f202e7d8794b01d2e97
                                                                    • Instruction Fuzzy Hash: 20514BB0A00609DFCF24CF68C885AEEBBB5FF45304F248529E85AD7250EB35E995CB51
                                                                    Function 008297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00829296,?,?,00000034,00000800,?,00000034), ref: 008314E6
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0082983F
                                                                      • Part of subcall function 00831487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008314B1
                                                                      • Part of subcall function 008313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00831409
                                                                      • Part of subcall function 008313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0082925A,00000034,?,?,00001004,00000000,00000000), ref: 00831419
                                                                      • Part of subcall function 008313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0082925A,00000034,?,?,00001004,00000000,00000000), ref: 0083142F
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008298AC
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008298F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: 3f412a81426931104580092f8fd37cf3eee9ff7bf366b3672a853303378ebf91
                                                                    • Instruction ID: 30e27951d5f28c1a6df15b6d64fe0a8f4818bb24f9ee24a0f352c4f3f8deb06d
                                                                    • Opcode Fuzzy Hash: 3f412a81426931104580092f8fd37cf3eee9ff7bf366b3672a853303378ebf91
                                                                    • Instruction Fuzzy Hash: C0415E7690121CAFCF10DFA4CD85ADEBBB8FB49700F004099FA85B7181DA716E85CBA1
                                                                    Function 00857946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085F910,00000000,?,?,?,?), ref: 008579DF
                                                                    • GetWindowLongW.USER32 ref: 008579FC
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00857A0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: b84a162a3f6c918c864e4a4d933cad158025c3092bd7a47de7b8c046ddd40605
                                                                    • Instruction ID: 2c7442c0dd54e8f999350c8bb50c527735438effb69a8994208b80480895fb39
                                                                    • Opcode Fuzzy Hash: b84a162a3f6c918c864e4a4d933cad158025c3092bd7a47de7b8c046ddd40605
                                                                    • Instruction Fuzzy Hash: 7231FE31204206ABDB118E38DC05BEA7BA9FF04325F248725F975E32E1D734ED558B60
                                                                    Function 008573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00857461
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00857475
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00857499
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: 54fa9c865c0c0c9a9d0a296624155fa260828493ba143f8556601813c6e4ae49
                                                                    • Instruction ID: 9db5238440b5879642c2a39ce5716acbf54d7c556265906fc603a923e497f05e
                                                                    • Opcode Fuzzy Hash: 54fa9c865c0c0c9a9d0a296624155fa260828493ba143f8556601813c6e4ae49
                                                                    • Instruction Fuzzy Hash: D321BF32600218BBDF118EA4DC46FEA3BAAFB48725F114214FE15AB190DA75AC55CBA0
                                                                    Function 00857B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00857C4A
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00857C58
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00857C5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: 519652f24c90492f443ccd32ada631d60c3735a1a40a2da3a97a6a8107df43ee
                                                                    • Instruction ID: d7be1c722a9ddbde5b86bc90bbf1e9bf4a88f1697bed53bc1e593685806e1f18
                                                                    • Opcode Fuzzy Hash: 519652f24c90492f443ccd32ada631d60c3735a1a40a2da3a97a6a8107df43ee
                                                                    • Instruction Fuzzy Hash: B9215AB1604208AFDB11EF28DC81CA737ECFB5A3A5B544059FA01DB3A1CA31EC058B60
                                                                    Function 00856CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00856D3B
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00856D4B
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00856D70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: 267a37bc33d5b79679ccf4ddc7e97d358b5464bb090abaf2c1c62ceb48d851ef
                                                                    • Instruction ID: 86020c3803209aad3f2953d6d4d489a935e8e5597b0decc68836c58ce0d7675c
                                                                    • Opcode Fuzzy Hash: 267a37bc33d5b79679ccf4ddc7e97d358b5464bb090abaf2c1c62ceb48d851ef
                                                                    • Instruction Fuzzy Hash: 4121C232600118BFDF118F54CC45FBB3BBAFF89761F418124FA459B1A0D6719C658BA0
                                                                    Function 0085770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00857772
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00857787
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00857794
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: 981564ed63a72d914866a1c2344f3bad2b453d25ccdba6282013268de9439636
                                                                    • Instruction ID: 3f44146367c06171ee9c328c3745b55931f7412691264b18eff27bc26831ed94
                                                                    • Opcode Fuzzy Hash: 981564ed63a72d914866a1c2344f3bad2b453d25ccdba6282013268de9439636
                                                                    • Instruction Fuzzy Hash: 0A11E372244208BAEF245F65EC05FEB77A9FF88B65F114229FA41E6190D672E811CB20
                                                                    Function 007D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4B83,?), ref: 007D4C44
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4C56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-1355242751
                                                                    • Opcode ID: 7a7c47a2b4bc3f8a85bb3bfb021f1564d127b7c2cf149e20330eb2ea923f4be9
                                                                    • Instruction ID: f1d22d2fd3658135f2f463132c8e3d15ca48d41ba612b9cbef4960b5ab2ce40d
                                                                    • Opcode Fuzzy Hash: 7a7c47a2b4bc3f8a85bb3bfb021f1564d127b7c2cf149e20330eb2ea923f4be9
                                                                    • Instruction Fuzzy Hash: 85D01270550B13CFD7205F31D90861677E5BF05352B11883A95A5D6661E678D480C661
                                                                    Function 007D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4BD0,?,007D4DEF,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4C11
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4C23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-3689287502
                                                                    • Opcode ID: ff8e14c7389e7d6667583556da663323d10bf7bdca990695c049d8fc009f48b4
                                                                    • Instruction ID: bd84e1a5d2849720068154f53288d8bf6fee9e39af3ffdd68095064afd905ce5
                                                                    • Opcode Fuzzy Hash: ff8e14c7389e7d6667583556da663323d10bf7bdca990695c049d8fc009f48b4
                                                                    • Instruction Fuzzy Hash: CCD01230551B13CFD7206F71D948606B6E5FF09352B118C3A9595D6651E7B8D480CB61
                                                                    Function 00850DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00851039), ref: 00850DF5
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00850E07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2574300362-4033151799
                                                                    • Opcode ID: 58fd9b5caf3ff4ff81c5004827d1fc4bda98ff773052da5d1fbae9e317532556
                                                                    • Instruction ID: f6cfef2339ec9c7e363b60432a7fd061fdac59edbbf7eca7c7e5abc2afe29c67
                                                                    • Opcode Fuzzy Hash: 58fd9b5caf3ff4ff81c5004827d1fc4bda98ff773052da5d1fbae9e317532556
                                                                    • Instruction Fuzzy Hash: 66D08230440B22CFC322AF70C80928272E5FF00393F248C2ED9D2C2250E6B8D8908A40
                                                                    Function 008490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00848CF4,?,0085F910), ref: 008490EE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00849100
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                    • API String ID: 2574300362-199464113
                                                                    • Opcode ID: 447a533dafdd24a4d90d95d3d69748c4acbc7f043eb4b30393951ba346eff006
                                                                    • Instruction ID: c97724c998dc6066430fef67ebea924f8efa6d1877d65f57513a8d0538aac9d1
                                                                    • Opcode Fuzzy Hash: 447a533dafdd24a4d90d95d3d69748c4acbc7f043eb4b30393951ba346eff006
                                                                    • Instruction Fuzzy Hash: 7DD01734550B13CFDB30AF31D81860776E5FF05392B12887AEAD6D6A91FA78C880CB91
                                                                    Function 00811714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime__swprintf
                                                                    • String ID: %.3d$WIN_XPe
                                                                    • API String ID: 2070861257-2409531811
                                                                    • Opcode ID: 7122b20967dfab60c9943f483a5b50d5ca295529ee1edbfe62a6075d9cea6a6c
                                                                    • Instruction ID: 77c3a4656e17c62b060bc6bf23e84e5da3516655153e7950b51aacd37799b07d
                                                                    • Opcode Fuzzy Hash: 7122b20967dfab60c9943f483a5b50d5ca295529ee1edbfe62a6075d9cea6a6c
                                                                    • Instruction Fuzzy Hash: 1AD0127580510DEACF019690988C8F9737CFF08305F140852F702D2684E22987D4D721
                                                                    Function 0082717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
                                                                    • Instruction ID: 66b6d038cdd7030522be064797edc13b335f9c4b7a36c0e4827e5a83c0cd903b
                                                                    • Opcode Fuzzy Hash: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
                                                                    • Instruction Fuzzy Hash: D6C17F74A0422AEFCB14DFA5D884EAEBBB5FF48714B148598E805EB351D730ED81DB90
                                                                    Function 0084E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0084E0BE
                                                                    • CharLowerBuffW.USER32(?,?), ref: 0084E101
                                                                      • Part of subcall function 0084D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084D7C5
                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0084E301
                                                                    • _memmove.LIBCMT ref: 0084E314
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                    • String ID:
                                                                    • API String ID: 3659485706-0
                                                                    • Opcode ID: fe6ab9e374f975ab3885e013c9fd57148b891798e9a6f935c194095c2f0fd2c3
                                                                    • Instruction ID: cadb66f254ab2966096b016aaca5f1be3a38d49de95032fa241a28a987586dbc
                                                                    • Opcode Fuzzy Hash: fe6ab9e374f975ab3885e013c9fd57148b891798e9a6f935c194095c2f0fd2c3
                                                                    • Instruction Fuzzy Hash: 39C13471A083058FC714DF28C480A6ABBE4FF89718F04896EF999DB351D774E946CB82
                                                                    Function 00848093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 008480C3
                                                                    • CoUninitialize.OLE32 ref: 008480CE
                                                                      • Part of subcall function 0082D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0082D5D4
                                                                    • VariantInit.OLEAUT32(?), ref: 008480D9
                                                                    • VariantClear.OLEAUT32(?), ref: 008483AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                    • String ID:
                                                                    • API String ID: 780911581-0
                                                                    • Opcode ID: e334ed825d7a56b94948638b63273bfa3a26746e6836f7869093f320f0b36ba1
                                                                    • Instruction ID: 40e67888d78703fe4c91a5cc351cacd570b967b05a78d07e4f204507c0f54dbf
                                                                    • Opcode Fuzzy Hash: e334ed825d7a56b94948638b63273bfa3a26746e6836f7869093f320f0b36ba1
                                                                    • Instruction Fuzzy Hash: E1A12475604705DFCB10DF64C885A2AB7E4FF89754F044459FA969B3A2CB34ED05CB82
                                                                    Function 00827530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00862C7C,?), ref: 008276EA
                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00862C7C,?), ref: 00827702
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0085FB80,000000FF,?,00000000,00000800,00000000,?,00862C7C,?), ref: 00827727
                                                                    • _memcmp.LIBCMT ref: 00827748
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                    • String ID:
                                                                    • API String ID: 314563124-0
                                                                    • Opcode ID: 6998d0a23e2c1bda4dacaf033a15a5841336abfd20be9e4d44deded78fcbb892
                                                                    • Instruction ID: 11eba07d87b862e23d3b348d2ca9916fe9bc6ce03eae76d00429d6ffa70802cb
                                                                    • Opcode Fuzzy Hash: 6998d0a23e2c1bda4dacaf033a15a5841336abfd20be9e4d44deded78fcbb892
                                                                    • Instruction Fuzzy Hash: B0812D71A00119EFCB04DFA4C984EEEB7B9FF89315F204158E505EB250DB71AE46CB60
                                                                    Function 0082687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                    • String ID:
                                                                    • API String ID: 2808897238-0
                                                                    • Opcode ID: 57eaaea792e98d5157e8219473ed94954117c05c33431ee38180e7aacfdb101b
                                                                    • Instruction ID: b95cd96717be1e18545b47ac5f8836acb8de45b50785ca1b89ac2e3276181ad5
                                                                    • Opcode Fuzzy Hash: 57eaaea792e98d5157e8219473ed94954117c05c33431ee38180e7aacfdb101b
                                                                    • Instruction Fuzzy Hash: 015191747003259BDB24AF69E4A5A2AB7A5FF44314F20C81FE586DB291EA74D8E08701
                                                                    Function 008597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(01150030,?), ref: 00859863
                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00859896
                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00859903
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: de9e5c6c4f835d476356f78841718fc4716dfd2395282beb8cb31279c7cfd6a8
                                                                    • Instruction ID: 5975cd0234ede0b8d12b7474081d58c08559f26b207377690b85a17f93dc9da0
                                                                    • Opcode Fuzzy Hash: de9e5c6c4f835d476356f78841718fc4716dfd2395282beb8cb31279c7cfd6a8
                                                                    • Instruction Fuzzy Hash: 0A512E34A00209EFCF10DF54C984AAE7BB5FF55361F148169F9A5EB2A0D731AD45CB90
                                                                    Function 00829A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00829AD2
                                                                    • __itow.LIBCMT ref: 00829B03
                                                                      • Part of subcall function 00829D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00829DBE
                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00829B6C
                                                                    • __itow.LIBCMT ref: 00829BC3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow
                                                                    • String ID:
                                                                    • API String ID: 3379773720-0
                                                                    • Opcode ID: 3066726552c014f7a019fa4348d49a04f5a928205c6377983edf378a22d0bf95
                                                                    • Instruction ID: ff0be56e9094d0d71d28ef79d3806908a7a77ba4d2a737ece7283b540d35d7e4
                                                                    • Opcode Fuzzy Hash: 3066726552c014f7a019fa4348d49a04f5a928205c6377983edf378a22d0bf95
                                                                    • Instruction Fuzzy Hash: 85417170A00228ABDF15EF54E849BFE7BB9FF44720F00006AF949A7391DB749984CB61
                                                                    Function 008469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 008469D1
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008469E1
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00846A45
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00846A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                    • String ID:
                                                                    • API String ID: 2214342067-0
                                                                    • Opcode ID: 5c62046faa447652cdb62907759e8e22e89e5a72011dfd799e0e23909a5558d3
                                                                    • Instruction ID: a16774ea866c0100045360bfba6d2feda42ad1dbd91b6d1e2555e1f6174e4b78
                                                                    • Opcode Fuzzy Hash: 5c62046faa447652cdb62907759e8e22e89e5a72011dfd799e0e23909a5558d3
                                                                    • Instruction Fuzzy Hash: 7341A375740210AFEB50AF28CC8AF3977A5EF09B14F048059FA59DF3C2DA789D008752
                                                                    Function 0084641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0085F910), ref: 008464A7
                                                                    • _strlen.LIBCMT ref: 008464D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID:
                                                                    • API String ID: 4218353326-0
                                                                    • Opcode ID: 9089c43394fce41b0b69051ea79030ef2ea96b1024618600e93c53af2b03a041
                                                                    • Instruction ID: 535801020f0eec20b89c865744978ccf349417387013ab27df6debfa9441a94e
                                                                    • Opcode Fuzzy Hash: 9089c43394fce41b0b69051ea79030ef2ea96b1024618600e93c53af2b03a041
                                                                    • Instruction Fuzzy Hash: 6B419F71A00108ABCB14EBA8EC99EBEB7B8FF45310F118156F919D7392EB34AD14CB51
                                                                    Function 0083B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0083B89E
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0083B8C4
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0083B8E9
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0083B915
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 3321077145-0
                                                                    • Opcode ID: 7e38da8b5512603887a5db855d5a8b51d3e6ab26a10867766891d9c6f7ca2263
                                                                    • Instruction ID: 77c5c55003e59e9559497960f3aa3cd706229e71a5fa2f60e549a154dafd8cc1
                                                                    • Opcode Fuzzy Hash: 7e38da8b5512603887a5db855d5a8b51d3e6ab26a10867766891d9c6f7ca2263
                                                                    • Instruction Fuzzy Hash: C241F779A00650DFCB10EF15C489A59BBB1FF89710F098099EE4A9B362CB34ED01DB91
                                                                    Function 00858851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008588DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: a4c301a00ddc50ed66955068d07f2b257989fad323f573ab795043c83570b488
                                                                    • Instruction ID: 40b814fbd2765272d189e293d3cd2185c5ccd1cca26404f6301ad35e6ef0e3ae
                                                                    • Opcode Fuzzy Hash: a4c301a00ddc50ed66955068d07f2b257989fad323f573ab795043c83570b488
                                                                    • Instruction Fuzzy Hash: B231A134600108EFEF219A68CC45BB97BA5FB05352FA44123FE51F62A1CE71A9489B93
                                                                    Function 0085AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 0085AB60
                                                                    • GetWindowRect.USER32(?,?), ref: 0085ABD6
                                                                    • PtInRect.USER32(?,?,0085C014), ref: 0085ABE6
                                                                    • MessageBeep.USER32(00000000), ref: 0085AC57
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: 8c30516f3c45673e79f0b771b2d53aa62f2b88de737700a14e983241ac4f3af2
                                                                    • Instruction ID: 53afa000ff74f4cd9beb9cee108d1e522c6278fe0cce656fecbe5e12d35f510b
                                                                    • Opcode Fuzzy Hash: 8c30516f3c45673e79f0b771b2d53aa62f2b88de737700a14e983241ac4f3af2
                                                                    • Instruction Fuzzy Hash: 2F418C30600219DFCF1ADF58C8C4A697BF5FF49312F1882A9E955DB261D731AC49CB92
                                                                    Function 00830AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00830B27
                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00830B43
                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00830BA9
                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00830BFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
                                                                    • Instruction ID: 661cd4fed5e2b998e2d16ccf84c15e430766d204b8267bb0cfc8b0fcc09bceaa
                                                                    • Opcode Fuzzy Hash: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
                                                                    • Instruction Fuzzy Hash: 0A313B709442186EFB308B698C15BFAFBA5FB85339F04425AF581D11D1C37489819BD1
                                                                    Function 00830C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00830C66
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00830C82
                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00830CE1
                                                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00830D33
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
                                                                    • Instruction ID: de95e282f233e986fd05c2182dae92c8478d52515287a542b55d505400d71c2e
                                                                    • Opcode Fuzzy Hash: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
                                                                    • Instruction Fuzzy Hash: 273124309002186EFF308B6888247FEBBA6FB85311F14536AE581D21D2D3799986CBD2
                                                                    Function 008061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008061FB
                                                                    • __isleadbyte_l.LIBCMT ref: 00806229
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00806257
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0080628D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: 18a1ebcfc84c06ea985e5b8d5abced5268e6f888cf54d5c08b47c1f8ee102a8f
                                                                    • Instruction ID: 654ea705375859294989b96c8ee8ece6ee5e1c72dae849640cde881b3ae9ae81
                                                                    • Opcode Fuzzy Hash: 18a1ebcfc84c06ea985e5b8d5abced5268e6f888cf54d5c08b47c1f8ee102a8f
                                                                    • Instruction Fuzzy Hash: B5318E3160424AEFEB619F65CC48BBA7BA9FF42310F154129E864D71E1E731D970DB90
                                                                    Function 00854EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 00854F02
                                                                      • Part of subcall function 00833641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083365B
                                                                      • Part of subcall function 00833641: GetCurrentThreadId.KERNEL32 ref: 00833662
                                                                      • Part of subcall function 00833641: AttachThreadInput.USER32(00000000,?,00835005), ref: 00833669
                                                                    • GetCaretPos.USER32(?), ref: 00854F13
                                                                    • ClientToScreen.USER32(00000000,?), ref: 00854F4E
                                                                    • GetForegroundWindow.USER32 ref: 00854F54
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: e7f209371980f8d427155e4a1a0373733877013542bfa6850d92efa10bfd20a4
                                                                    • Instruction ID: 8687a9931f19811a57422e498d478046da45aa8860a552a27018e2bc4057d19f
                                                                    • Opcode Fuzzy Hash: e7f209371980f8d427155e4a1a0373733877013542bfa6850d92efa10bfd20a4
                                                                    • Instruction Fuzzy Hash: 71311E71D00208AFDB00EFA9C8859EFB7FDFF98304F10406AE515E7241EA759E458BA1
                                                                    Function 0085C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • GetCursorPos.USER32(?), ref: 0085C4D2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0080B9AB,?,?,?,?,?), ref: 0085C4E7
                                                                    • GetCursorPos.USER32(?), ref: 0085C534
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0080B9AB,?,?,?), ref: 0085C56E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: 0c3e8a1fa84488629c4cf539acaaa0abfb53aa0e02f73941c18c10676e1e730e
                                                                    • Instruction ID: ff99ec5efb0cd6c19175ef5703fa8618af2aa77d2c2d1a4a4d72f0c7e3be16f5
                                                                    • Opcode Fuzzy Hash: 0c3e8a1fa84488629c4cf539acaaa0abfb53aa0e02f73941c18c10676e1e730e
                                                                    • Instruction Fuzzy Hash: 7831EE35600618EFCF229F98C858EAA7BB5FB09312F044069FD05CB262D735AD58DFA4
                                                                    Function 00828656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0082810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828121
                                                                      • Part of subcall function 0082810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0082812B
                                                                      • Part of subcall function 0082810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082813A
                                                                      • Part of subcall function 0082810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00828141
                                                                      • Part of subcall function 0082810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828157
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008286A3
                                                                    • _memcmp.LIBCMT ref: 008286C6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008286FC
                                                                    • HeapFree.KERNEL32(00000000), ref: 00828703
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                    • String ID:
                                                                    • API String ID: 1592001646-0
                                                                    • Opcode ID: d0d7cf2cca7464dfac7bf6c523368c20a20c9d00350551d5efb40e9f54ffd573
                                                                    • Instruction ID: f80778f3eb9a514ed2dc5cb8e64c791f48c69aecac4f419591eb93ca7e2f095a
                                                                    • Opcode Fuzzy Hash: d0d7cf2cca7464dfac7bf6c523368c20a20c9d00350551d5efb40e9f54ffd573
                                                                    • Instruction Fuzzy Hash: 47217A71E42218EFDF10DFA4D948BAEB7B8FF60315F144059E405A7281DB30AE45CB50
                                                                    Function 007F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __setmode.LIBCMT ref: 007F09AE
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                                    • _fprintf.LIBCMT ref: 007F09E5
                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00825DBB
                                                                      • Part of subcall function 007F4AAA: _flsall.LIBCMT ref: 007F4AC3
                                                                    • __setmode.LIBCMT ref: 007F0A1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                    • String ID:
                                                                    • API String ID: 521402451-0
                                                                    • Opcode ID: 6bcff6f03c48c85510bc77dd80171cc60f0995c086b2f37141e03be8773b90ab
                                                                    • Instruction ID: b34200fe96449f876cebdd5ae7a209e8626790a9444026151663073d4b2f0485
                                                                    • Opcode Fuzzy Hash: 6bcff6f03c48c85510bc77dd80171cc60f0995c086b2f37141e03be8773b90ab
                                                                    • Instruction Fuzzy Hash: D7110532904208EFDB04B3B49C4E9BE7B68EF81320F244016F304A7383EE28588257E5
                                                                    Function 00841767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008417A3
                                                                      • Part of subcall function 0084182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084184C
                                                                      • Part of subcall function 0084182D: InternetCloseHandle.WININET(00000000), ref: 008418E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 1463438336-0
                                                                    • Opcode ID: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
                                                                    • Instruction ID: d2e54b2b05cc31d496ff1407b3af21dda75d0d32c4a2edd840202303a30fc7b6
                                                                    • Opcode Fuzzy Hash: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
                                                                    • Instruction Fuzzy Hash: EC21F036200709BFEF129F64CC04FBABBA9FF48711F10402AFA41D6651DB75D850ABA0
                                                                    Function 00833A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNEL32(?,0085FAC0), ref: 00833A64
                                                                    • GetLastError.KERNEL32 ref: 00833A73
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00833A82
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085FAC0), ref: 00833ADF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 2267087916-0
                                                                    • Opcode ID: 49b89b77bab710aff85c8f818cfdf30e19ec14d7336fefcbe326e1a266955e8a
                                                                    • Instruction ID: 19d1909ad6c1a3fdd943c9b4e08ca4cccb4716b0aa4cdb16a4c96bf96efc23c3
                                                                    • Opcode Fuzzy Hash: 49b89b77bab710aff85c8f818cfdf30e19ec14d7336fefcbe326e1a266955e8a
                                                                    • Instruction Fuzzy Hash: B621A6745087159F8700DF28C88586ABBE8FF95368F104A1EF499D72A2D735DE45CB82
                                                                    Function 0082DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0082F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?), ref: 0082F0CB
                                                                      • Part of subcall function 0082F0BC: lstrcpyW.KERNEL32(00000000,?,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082F0F1
                                                                      • Part of subcall function 0082F0BC: lstrcmpiW.KERNEL32(00000000,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?), ref: 0082F122
                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DCEC
                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DD12
                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DD46
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                    • String ID: cdecl
                                                                    • API String ID: 4031866154-3896280584
                                                                    • Opcode ID: 0a62749302696e6d84983a1313f4b2db707aa20d0312055b6164ed654ee43875
                                                                    • Instruction ID: bf556498571aaf6d4979c49dbff4bb00f9b8628ffabf1509a9971411c09bcbec
                                                                    • Opcode Fuzzy Hash: 0a62749302696e6d84983a1313f4b2db707aa20d0312055b6164ed654ee43875
                                                                    • Instruction Fuzzy Hash: 0111D33A200715EBDB25AF34E845D7A7BB8FF45310B40402AF906CB3A1EB759881CBD1
                                                                    Function 008050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00805101
                                                                      • Part of subcall function 007F571C: __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                                      • Part of subcall function 007F571C: __NMSG_WRITE.LIBCMT ref: 007F573A
                                                                      • Part of subcall function 007F571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: b732e67cdd9135455ab5c997cdc4bc59abcf3007064f67a33913b4e8c3537120
                                                                    • Instruction ID: 2492e207fe52087cc47d103128ae3d041ed0754a254adff19a717fa68ffebf4b
                                                                    • Opcode Fuzzy Hash: b732e67cdd9135455ab5c997cdc4bc59abcf3007064f67a33913b4e8c3537120
                                                                    • Instruction Fuzzy Hash: 9A1191B2604A19EEDBA12F74AC4977F3798FF04361B10092AFA55D6391DE3889409AA1
                                                                    Function 007D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 007D44CF
                                                                      • Part of subcall function 007D407C: _memset.LIBCMT ref: 007D40FC
                                                                      • Part of subcall function 007D407C: _wcscpy.LIBCMT ref: 007D4150
                                                                      • Part of subcall function 007D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D4160
                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 007D4524
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D4533
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0080D4B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1378193009-0
                                                                    • Opcode ID: 48efde4f6287a882caf06f663ab591934054029a9574dee872812d8ee67ff743
                                                                    • Instruction ID: f17913f685956590b9a962d170839a06d5883bafc593fb809034f5d88af0055c
                                                                    • Opcode Fuzzy Hash: 48efde4f6287a882caf06f663ab591934054029a9574dee872812d8ee67ff743
                                                                    • Instruction Fuzzy Hash: 4E21C570504784AFE7729B64DC59BE6BBECFF05319F04009EE79E96282C3782984CB55
                                                                    Function 00846369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                                      • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                                    • gethostbyname.WSOCK32(?), ref: 00846399
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 008463A4
                                                                    • _memmove.LIBCMT ref: 008463D1
                                                                    • inet_ntoa.WSOCK32(?), ref: 008463DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 1504782959-0
                                                                    • Opcode ID: 022eb0d7b5c4389523ddce02adb1247ed3c4cb8d105b680b7ccbd3b143eb1790
                                                                    • Instruction ID: ff50d640809621c6ba642d5f5722bbd01ab50f76385f4e34013d31845140cf72
                                                                    • Opcode Fuzzy Hash: 022eb0d7b5c4389523ddce02adb1247ed3c4cb8d105b680b7ccbd3b143eb1790
                                                                    • Instruction Fuzzy Hash: FF113A36500109EFCB00FBA4DD4ACAEBBB8FF44311B144066F605E7262EB34AE14DB61
                                                                    Function 00828B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00828B61
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828B73
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828B89
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828BA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
                                                                    • Instruction ID: 117ac8b710bd11680329400da6e21226f002d6614ef3f8e686200efeeff9b103
                                                                    • Opcode Fuzzy Hash: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
                                                                    • Instruction Fuzzy Hash: B2110A79901218FFDF11DB95C885E9DBBB4FB48710F204095EA00B7250DA716E51DB94
                                                                    Function 007D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 007D12D8
                                                                    • GetClientRect.USER32(?,?), ref: 0080B5FB
                                                                    • GetCursorPos.USER32(?), ref: 0080B605
                                                                    • ScreenToClient.USER32(?,?), ref: 0080B610
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: 7a7d3f9951210fcb023d45a55107bafa58ad123473b3715b65348008358e36db
                                                                    • Instruction ID: 5ea407b81af1a5d821a9aec916b1701563e3b4646d3d137e86143b8f322cc706
                                                                    • Opcode Fuzzy Hash: 7a7d3f9951210fcb023d45a55107bafa58ad123473b3715b65348008358e36db
                                                                    • Instruction Fuzzy Hash: 9F112535A00119FBCB10EFA8D8899AE77B9FB05301F900466FA01E7241D739BA55CBA5
                                                                    Function 00831142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 0083115F
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 00831184
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 0083118E
                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 008311C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CounterPerformanceQuerySleep
                                                                    • String ID:
                                                                    • API String ID: 2875609808-0
                                                                    • Opcode ID: b42af3b1f608c81bc69053e8659ac2801e4c172b9708808ce14567650d7ae3ef
                                                                    • Instruction ID: bbd73207e886ac8118f0d47adefe1b6800c25dbd7bdcb9fd70f2977e07cc5c6d
                                                                    • Opcode Fuzzy Hash: b42af3b1f608c81bc69053e8659ac2801e4c172b9708808ce14567650d7ae3ef
                                                                    • Instruction Fuzzy Hash: 3E113C31D41A1DD7CF00AFA5D848AEEBB78FF49B11F004055EA41F2241CB749560CBD5
                                                                    Function 0082D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0082D84D
                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0082D864
                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0082D879
                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0082D897
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                    • String ID:
                                                                    • API String ID: 1352324309-0
                                                                    • Opcode ID: a04029876c0fe7f5f943504c25fde7315d21f37544cb55c66680160140ad6422
                                                                    • Instruction ID: 622398818522acb87b1fa5d25d201a0dd5b87e50e9f0fe2051b91147149ec246
                                                                    • Opcode Fuzzy Hash: a04029876c0fe7f5f943504c25fde7315d21f37544cb55c66680160140ad6422
                                                                    • Instruction Fuzzy Hash: FC115EB5605329DBE3208F50EC08F93BBBCFB00B04F108979AA56D6051D7B4E5899BA5
                                                                    Function 00806FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction ID: 8de9384918a2010f4f49078301cba318762000f84dfc185fc87443bc8edac29d
                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction Fuzzy Hash: 0401407284454EBBCF565F88CC02CED3F66FB18354F588515FE18980B1D236E9B1AB81
                                                                    Function 0085B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 0085B2E4
                                                                    • ScreenToClient.USER32(?,?), ref: 0085B2FC
                                                                    • ScreenToClient.USER32(?,?), ref: 0085B320
                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0085B33B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                    • String ID:
                                                                    • API String ID: 357397906-0
                                                                    • Opcode ID: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
                                                                    • Instruction ID: 8ca4a2bb39c6638590bff277c4363b578a392c9ead195434eb7863650064953c
                                                                    • Opcode Fuzzy Hash: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
                                                                    • Instruction Fuzzy Hash: B41144B9D00209EFDB41CFA9C8849EEBBF9FF18311F108166E914E3220D735AA558F50
                                                                    Function 0085B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0085B644
                                                                    • _memset.LIBCMT ref: 0085B653
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00896F20,00896F64), ref: 0085B682
                                                                    • CloseHandle.KERNEL32 ref: 0085B694
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                    • String ID:
                                                                    • API String ID: 3277943733-0
                                                                    • Opcode ID: 91631c27445d21ed29cadd1816835e01d997917caeb7152d8cebb0a18663768a
                                                                    • Instruction ID: 4b8a6f0042f653fa6f186b0936515f8ca1f0f59711f4e9da7b67dc31f5b1644c
                                                                    • Opcode Fuzzy Hash: 91631c27445d21ed29cadd1816835e01d997917caeb7152d8cebb0a18663768a
                                                                    • Instruction Fuzzy Hash: 73F019B2640304BBF71037657C09FBB7A9CFB15795F044021FB08E51A2EB755C2087A9
                                                                    Function 00836BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00836BE6
                                                                      • Part of subcall function 008376C4: _memset.LIBCMT ref: 008376F9
                                                                    • _memmove.LIBCMT ref: 00836C09
                                                                    • _memset.LIBCMT ref: 00836C16
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00836C26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                    • String ID:
                                                                    • API String ID: 48991266-0
                                                                    • Opcode ID: e6b049158bd253fdb165fb5134dd45ea1eb9bf50abc9ed77d34061bcef2abef1
                                                                    • Instruction ID: 26447aca32116608569b49240741d9efb23217cabd82487c51f76917dee0093e
                                                                    • Opcode Fuzzy Hash: e6b049158bd253fdb165fb5134dd45ea1eb9bf50abc9ed77d34061bcef2abef1
                                                                    • Instruction Fuzzy Hash: E6F0547A200204BBCF016F55DC85A4ABB29FF45361F048061FE099E227DB35E811CBF5
                                                                    Function 007D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 007D2231
                                                                    • SetTextColor.GDI32(?,000000FF), ref: 007D223B
                                                                    • SetBkMode.GDI32(?,00000001), ref: 007D2250
                                                                    • GetStockObject.GDI32(00000005), ref: 007D2258
                                                                    • GetWindowDC.USER32(?,00000000), ref: 0080BE83
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0080BE90
                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0080BEA9
                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0080BEC2
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0080BEE2
                                                                    • ReleaseDC.USER32(?,00000000), ref: 0080BEED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1946975507-0
                                                                    • Opcode ID: bca654f83a01f77983f3a289f0d5b5bf83cd848d38592d8280c2821fe840f5d1
                                                                    • Instruction ID: 4e3771239114560e519c8eb9063b296ac98c8e9aba76d2a812f4f9434157ddfb
                                                                    • Opcode Fuzzy Hash: bca654f83a01f77983f3a289f0d5b5bf83cd848d38592d8280c2821fe840f5d1
                                                                    • Instruction Fuzzy Hash: 66E03932144644AADF225F64EC0DBD83B20FB15332F008366FB69980E29B754981DB12
                                                                    Function 00828712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 0082871B
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,008282E6), ref: 00828722
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008282E6), ref: 0082872F
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,008282E6), ref: 00828736
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3974789173-0
                                                                    • Opcode ID: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
                                                                    • Instruction ID: 442c5c8e682f0bb38f54beb1ca551459b7a875aba02cc55c32020c80d12b54a6
                                                                    • Opcode Fuzzy Hash: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
                                                                    • Instruction Fuzzy Hash: 05E04F766123219BDB605FB16D0CB973BA8FF60793F144828A345CA081DA2884818750
                                                                    Function 0082B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0082B4BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ContainedObject
                                                                    • String ID: AutoIt3GUI$Container
                                                                    • API String ID: 3565006973-3941886329
                                                                    • Opcode ID: 66eeb5568e14afd9f2106a2950480170688005ce934674b8efc817023178349b
                                                                    • Instruction ID: 932a589e12ec8c817eb64e04e05a1a56ffb931a158479ef4add65765ffb85c21
                                                                    • Opcode Fuzzy Hash: 66eeb5568e14afd9f2106a2950480170688005ce934674b8efc817023178349b
                                                                    • Instruction Fuzzy Hash: FB914870601615AFDB14DF68D884A6ABBF5FF49710F20856EE94ACB391DB70E881CB50
                                                                    Function 0083AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                                      • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                                      • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                                    • __wcsnicmp.LIBCMT ref: 0083B02D
                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0083B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                    • String ID: LPT
                                                                    • API String ID: 3222508074-1350329615
                                                                    • Opcode ID: b3e70705b45ed7add257d8100a85ecbd5bcd6c95a290b38a71ac85cfb6fa4b79
                                                                    • Instruction ID: 8157abc6561d64703589f682e3990afe33503ee48c7ee6cd8cc84d287a76fbc8
                                                                    • Opcode Fuzzy Hash: b3e70705b45ed7add257d8100a85ecbd5bcd6c95a290b38a71ac85cfb6fa4b79
                                                                    • Instruction Fuzzy Hash: A16140B5A00219EFCB18DF94C895EAEB7B4FB48710F10406AFA16EB351D774AE44CB90
                                                                    Function 007E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 007E2968
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 007E2981
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: e85b96378beea4fb05a0d2908f3a2387c5fcebaf9c81c0d52b8df1f4e2daad7d
                                                                    • Instruction ID: eaaa07fef6c2adfc22bf66f44e93594c7354fcf4750deefc57ed25b4741be188
                                                                    • Opcode Fuzzy Hash: e85b96378beea4fb05a0d2908f3a2387c5fcebaf9c81c0d52b8df1f4e2daad7d
                                                                    • Instruction Fuzzy Hash: 175134724087449BD320EF10D88ABABBBF8FB85344F41885EF2D9412A5DB348569CB67
                                                                    Function 00839734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D4F0B: __fread_nolock.LIBCMT ref: 007D4F29
                                                                    • _wcscmp.LIBCMT ref: 00839824
                                                                    • _wcscmp.LIBCMT ref: 00839837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$__fread_nolock
                                                                    • String ID: FILE
                                                                    • API String ID: 4029003684-3121273764
                                                                    • Opcode ID: 3cd66fa7bf002ee591cc3be85cf5d0387e7e9cf7f0be338451d08fdb6aa5e494
                                                                    • Instruction ID: 8ca0b1108f423126b3e5c250d53e5208145066b812f84c2abb393023c81e6579
                                                                    • Opcode Fuzzy Hash: 3cd66fa7bf002ee591cc3be85cf5d0387e7e9cf7f0be338451d08fdb6aa5e494
                                                                    • Instruction Fuzzy Hash: 0A418671A04219BBDF219BA4CC49FEFB7B9EF85710F00047AF904F7291DA7599058BA1
                                                                    Function 0084258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0084259E
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008425D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_memset
                                                                    • String ID: |
                                                                    • API String ID: 1413715105-2343686810
                                                                    • Opcode ID: 1bbc67a23c29666c2f5f459974f866dfc4a648fcba980086f07d91274611f6ae
                                                                    • Instruction ID: 96d5c9431a16f8c05db799c95e9b410783c2c4392fc7e8b7354d9ce323ae62c3
                                                                    • Opcode Fuzzy Hash: 1bbc67a23c29666c2f5f459974f866dfc4a648fcba980086f07d91274611f6ae
                                                                    • Instruction Fuzzy Hash: 3B31157180511DEBCF05EFA4CC89EEEBFB8FF18354F10006AF914A6262EA355956DB60
                                                                    Function 00857A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00857B61
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00857B76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 0e1277f00e71e6ffc21100c38814521d07e7dff6734c21a7c568ba9e7b291b79
                                                                    • Instruction ID: eac4138e43a2963b0c96382833e96a17611c573d0bb08656496af743e1e38e11
                                                                    • Opcode Fuzzy Hash: 0e1277f00e71e6ffc21100c38814521d07e7dff6734c21a7c568ba9e7b291b79
                                                                    • Instruction Fuzzy Hash: 6C412874A0430A9FDB14CF64D880BEABBB5FB08311F14416AED04EB381D730AA45CF90
                                                                    Function 00856A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00856B17
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00856B53
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: e7f7e91d7ca0f9b338c461679154225725cfa98d3407e1f8a42861947f2b19a7
                                                                    • Instruction ID: 4d612ce506f82bbe3e5a08e64f4dbd444dc981f16b58647fad924c679867389d
                                                                    • Opcode Fuzzy Hash: e7f7e91d7ca0f9b338c461679154225725cfa98d3407e1f8a42861947f2b19a7
                                                                    • Instruction Fuzzy Hash: DB319E71200604AEDB119F68CC80BFB77B9FF48761F50861AFDA5D7190EA34AC95CB60
                                                                    Function 008328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00832911
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0083294C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 4199fd73300359a3ce1a1a0fa59f7b53a891784325e036560d87d463ee197fd7
                                                                    • Instruction ID: 8aa27fa84de744f5495f5fcbef574364d234282d6065a183e79192929c28633e
                                                                    • Opcode Fuzzy Hash: 4199fd73300359a3ce1a1a0fa59f7b53a891784325e036560d87d463ee197fd7
                                                                    • Instruction Fuzzy Hash: 2231BF31A00309EBEB25DE58C885FAEBFA8FF85350F180069ED85E62A1D7709944CB91
                                                                    Function 008439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __snwprintf.LIBCMT ref: 00843A66
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: __snwprintf_memmove
                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                    • API String ID: 3506404897-2584243854
                                                                    • Opcode ID: 239e0575c641926ccc7788cd6c8579cdd3d6f465d909556be14708254ec4f8eb
                                                                    • Instruction ID: 8720b89d24187c8e6de7e2442d1cb77f7f2fea0ed64b0247576de452fbd95db0
                                                                    • Opcode Fuzzy Hash: 239e0575c641926ccc7788cd6c8579cdd3d6f465d909556be14708254ec4f8eb
                                                                    • Instruction Fuzzy Hash: 63217C3164022DEFCF14EF64CC86AAE77B9FB44700F500455E559EB282EB38AA45CB61
                                                                    Function 008566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00856761
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0085676C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: c6a25a60974c0cd44681a14dbba7a036484732f9412f692a8bef366103e8c861
                                                                    • Instruction ID: fb856013e969510791fd405db34b8af9029c1711724e6039a3d31648df1013b4
                                                                    • Opcode Fuzzy Hash: c6a25a60974c0cd44681a14dbba7a036484732f9412f692a8bef366103e8c861
                                                                    • Instruction Fuzzy Hash: 6C118275300208BFEF259F54CC81EBB37AAFB983A9F504229FD14D7290E6759C6587A0
                                                                    Function 00856C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                                      • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                                      • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00856C71
                                                                    • GetSysColor.USER32(00000012), ref: 00856C8B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: d8246dbb91bbbbdee0154f1c73741d3a7ef7ad8971827d8b1af803223a16e660
                                                                    • Instruction ID: e5ab29dfea66fc5764dbdcae7668326794e3639706b4256e7652032305bfcc4e
                                                                    • Opcode Fuzzy Hash: d8246dbb91bbbbdee0154f1c73741d3a7ef7ad8971827d8b1af803223a16e660
                                                                    • Instruction Fuzzy Hash: 28211472610209AFDF04DFA8CC45AEA7BA9FB08315F404629FE95D3251E635E864DB60
                                                                    Function 00856920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 008569A2
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008569B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: LengthMessageSendTextWindow
                                                                    • String ID: edit
                                                                    • API String ID: 2978978980-2167791130
                                                                    • Opcode ID: 4e0d3818f22ac51d4136c11feaaaa261d299aa9b2663ce7bc6970b83fe3a72bf
                                                                    • Instruction ID: 2790c4996e525586f625c24aa3c85dde23d1c50c3f8952c577ddf374869b01fa
                                                                    • Opcode Fuzzy Hash: 4e0d3818f22ac51d4136c11feaaaa261d299aa9b2663ce7bc6970b83fe3a72bf
                                                                    • Instruction Fuzzy Hash: FC116D71100209ABEB108E74DC44AEB3BA9FB1537AF904724FEA5D71E0E735DC699760
                                                                    Function 008329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00832A22
                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00832A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 70f728bdff3df21c089a970d89d9c9901bb9211ab463cc0451e006e2137056b1
                                                                    • Instruction ID: f24c4279e3a06065c27be168fabffd455def560a5d08816ab53ff0d3420152b4
                                                                    • Opcode Fuzzy Hash: 70f728bdff3df21c089a970d89d9c9901bb9211ab463cc0451e006e2137056b1
                                                                    • Instruction Fuzzy Hash: D3119332901138ABDB35EA9CDC44BAA77A9FB85314F244121E995E72A0D770AD0AC7D1
                                                                    Function 008421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0084222C
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00842255
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: aac7d949b73435f3cf808076e5e824a5ecce69b98d18d734cc29032f79afdd3d
                                                                    • Instruction ID: 0057c83fd8b3bf3e335caf6eb58b399a84ff465c6e31d0e9e082dfc9440c9ea5
                                                                    • Opcode Fuzzy Hash: aac7d949b73435f3cf808076e5e824a5ecce69b98d18d734cc29032f79afdd3d
                                                                    • Instruction Fuzzy Hash: C211A070549239BADB258F518C84EBBFBA8FF1A755F50822AFA15D6100D2B06990D6F0
                                                                    Function 00828E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00828E73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: e695d50ce088988519a4a91dad7851c39daa4b8426fe8c1273c0998221824d1e
                                                                    • Instruction ID: 7267e71ca6e2c454668fc94f67ebaaf78fe885a34d6e5f65c0198370e0273392
                                                                    • Opcode Fuzzy Hash: e695d50ce088988519a4a91dad7851c39daa4b8426fe8c1273c0998221824d1e
                                                                    • Instruction Fuzzy Hash: 9D019275602229EB8F18ABA4DC558FE7379FF05320B54061AB872A73E2EE355848C750
                                                                    Function 00828CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00828D6B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: e601587803e6fcd1391ea2ecdbbb38ceef55f6bf0f943ddc104aea6398050f2e
                                                                    • Instruction ID: a083956112956f1c4dd8968740dbeecde7c1cf0ed4e7e703c8df4b0b7a2f59fc
                                                                    • Opcode Fuzzy Hash: e601587803e6fcd1391ea2ecdbbb38ceef55f6bf0f943ddc104aea6398050f2e
                                                                    • Instruction Fuzzy Hash: 9501B171A41119EBDF18EBA4D956AFE73B8EF15300F10002AB802A3291EE285A0CD661
                                                                    Function 00828D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                                      • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00828DEE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: 7a22655fc4519e1c0c16d52c17657b7267e23f01b61b8f96a6fd76535f6b3e7f
                                                                    • Instruction ID: 3a3daac5da530f8662e7da1cf2284863dbc628e98598f01e953a4e95b45bbe28
                                                                    • Opcode Fuzzy Hash: 7a22655fc4519e1c0c16d52c17657b7267e23f01b61b8f96a6fd76535f6b3e7f
                                                                    • Instruction Fuzzy Hash: 74018471A41119E7DF15E6A4D956AFE77A8EF11300F100016B846B32D2DA295E4CD271
                                                                    Function 00834F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp
                                                                    • String ID: #32770
                                                                    • API String ID: 2292705959-463685578
                                                                    • Opcode ID: 7045b53dbad18cdaf8aff70fa765858bdb50ee62bd6fef25d31e71eda224ff5d
                                                                    • Instruction ID: 3fba934fbfaa2ef16298a9f821594a396d794b0f9331db53323173c6f93fd94e
                                                                    • Opcode Fuzzy Hash: 7045b53dbad18cdaf8aff70fa765858bdb50ee62bd6fef25d31e71eda224ff5d
                                                                    • Instruction Fuzzy Hash: B7E0D13260432C67D710A795DC49FA7F7ACFB85B71F010067FD04D3151D9649A5587D0
                                                                    Function 0080B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0080B314: _memset.LIBCMT ref: 0080B321
                                                                      • Part of subcall function 007F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0080B2F0,?,?,?,007D100A), ref: 007F0945
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,007D100A), ref: 0080B2F4
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007D100A), ref: 0080B303
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0080B2FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 3158253471-631824599
                                                                    • Opcode ID: e037877de98bbb3d57bb02e33a8fa6666efa8b013ab8ba59d238e15b095d80d1
                                                                    • Instruction ID: 31bc77809397379324137c93c5aea70f5d2c0c33052527723a25ebb842477ea1
                                                                    • Opcode Fuzzy Hash: e037877de98bbb3d57bb02e33a8fa6666efa8b013ab8ba59d238e15b095d80d1
                                                                    • Instruction Fuzzy Hash: 5CE06D742007018FD760DF68D8083467AE4FF00305F11896DE556C7782E7B8E444CBA1
                                                                    Function 00811935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00811775
                                                                      • Part of subcall function 0084BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0081195E,?), ref: 0084BFFE
                                                                      • Part of subcall function 0084BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084C010
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0081196D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                    • String ID: WIN_XPe
                                                                    • API String ID: 582185067-3257408948
                                                                    • Opcode ID: 0ecc8c8cd04ade641dac3b82c928dc0ee3c119e8e0556478ffee7cb301e0a0a9
                                                                    • Instruction ID: 330c470f09b14bfdf3b69f1dabb5e7619805e56aa621beaf8d39a9290d9fcf59
                                                                    • Opcode Fuzzy Hash: 0ecc8c8cd04ade641dac3b82c928dc0ee3c119e8e0556478ffee7cb301e0a0a9
                                                                    • Instruction Fuzzy Hash: 5EF0A570801109DBDB15DBA5C988AECBAB8FF08305F540496E202E2695DB758E84DF61
                                                                    Function 00855998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008559AE
                                                                    • PostMessageW.USER32(00000000), ref: 008559B5
                                                                      • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: b105490f04f9e775f6df051f16b0c8c6c20281137e798007e8d9b2f7c91eab98
                                                                    • Instruction ID: 695dfb7ee9613189fb1150574f82c97fd2926b7ad0be1b57af8f743ba2568302
                                                                    • Opcode Fuzzy Hash: b105490f04f9e775f6df051f16b0c8c6c20281137e798007e8d9b2f7c91eab98
                                                                    • Instruction Fuzzy Hash: 17D0C9313C0311BBE6A4BB70DC0BF976655FB54B51F000825B355EB1D1D9E8A800CA94
                                                                    Function 00855964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085596E
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00855981
                                                                      • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2101316280.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2101296559.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101365407.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101404272.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2101418453.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7d0000_Statement 2024-11-29 (K07234).jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: c6723380e2ce72553f833635f03b76eb0315fef9b4103abf2afb8490d96738b3
                                                                    • Instruction ID: 302fc801906148df5d9c1e8c5132dd297976f51df9be044fabf03ab4636c74d3
                                                                    • Opcode Fuzzy Hash: c6723380e2ce72553f833635f03b76eb0315fef9b4103abf2afb8490d96738b3
                                                                    • Instruction Fuzzy Hash: A6D0C935384311B7E6A4BB70DC0BF976A55FB50B51F000825B359EB1D1D9E89800CA94